About HMAC Generator

Generate HMAC signatures using SHA-256, SHA-512, and more. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

• Verifying webhook signatures from payment providers like Stripe
• Signing API requests for services requiring HMAC authentication
• Generating message authentication codes for data integrity checks
• Testing HMAC implementations during security library development

Tips

• Choose SHA-256 for general-purpose webhook signature verification
• Use SHA-512 for higher security requirements in API signing
• Paste the secret key and message to generate the HMAC instantly

Fun Facts

• HMAC was published in RFC 2104 in 1997 by Mihir Bellare, Ran Canetti, and Hugo Krawczyk, and its security proof remains unbroken.
• HMAC-SHA256 is used by AWS Signature Version 4 to authenticate every API request made to Amazon Web Services.
• The 'H' in HMAC stands for 'Hash-based,' and the algorithm works by hashing the message twice with the key in different paddings.

FAQ

What's HMAC for?

Verifying that a message hasn't been tampered with. Combines a secret key with a hash (SHA-256, SHA-512) to produce a signature. Used in webhooks, API signatures, JWT.

Which hash should I use?

SHA-256 is the modern default. SHA-1 is deprecated but still common in legacy systems. SHA-512 is slightly stronger but rarely necessary.

How do I verify?

Compute HMAC on your side with the same key; compare with the received signature using a constant-time comparison (to prevent timing attacks).

Can it encrypt?

No — HMAC is for authentication, not encryption. Pair with AES for authenticated encryption (or use AES-GCM which does both).