HMAC Generator
Compute HMAC (SHA-1/256/384/512) signatures for webhooks, API requests and integrity checks. Client-side via Web Crypto.
Last updated: April 2026 ยท Runs in your browser ยท No sign-up
Typical HMAC usage
- Webhook signatures โ GitHub, Stripe, Slack all use HMAC-SHA256.
- AWS request signing (Signature Version 4).
- JWT HS256/384/512 tokens.
- Session cookies signed to detect tampering.
Security essentials
Keep the key at least 128 bits of entropy. Never log or print it. Use constant-time comparison (crypto.timingSafeEqual in Node, hmac.compare_digest in Python) when verifying โ regular string equality leaks timing information.
Frequently Asked Questions
What's HMAC?
Hash-based Message Authentication Code. Combines a secret key with a hash function to prove both integrity (message wasn't tampered) and authenticity (sender knew the key).
Which hash function should I use?
HMAC-SHA256 is the modern default โ fast, secure, widely supported. SHA-1 is deprecated for collision-resistance but HMAC-SHA1 is still safe; legacy systems often use it. SHA-512 for extra margin.
Verifying webhooks (GitHub, Stripe) โ how?
Compute HMAC of the request body using your webhook secret. Compare against the signature header (X-Hub-Signature or Stripe-Signature). Use constant-time comparison to prevent timing attacks.
Is HMAC the same as a digital signature?
No. HMAC uses a shared secret โ both sides can generate and verify. Digital signatures (RSA, ECDSA) use public/private keys โ only the holder of the private key can sign, anyone can verify.