🦁 IP Animals
πŸ” Generators & Security

HMAC Generator

Compute an HMAC of a message with a secret key, using SHA-1, SHA-256, SHA-384 or SHA-512. Powered by the Web Crypto API and computed entirely in your browser β€” your message and key are never transmitted.

β€”

About HMAC

HMAC stands for Hash-based Message Authentication Code. It takes a message and a secret key, runs them through a hash function in a specific two-pass construction, and produces a fixed-length tag in hexadecimal. The magic is that anyone sharing the key can recompute the tag to confirm two things at once: the message has not been tampered with, and it really came from someone who holds the key.

This is why HMAC is everywhere in web infrastructure β€” signing API requests, validating webhook payloads (Stripe, GitHub and others send an HMAC header), issuing signed cookies, and inside protocols like TLS. A plain hash cannot do this on its own because anyone can compute it; the shared secret is what turns integrity into authenticity.

πŸ”’ Computed locally β€” never transmitted

The HMAC is produced in your browser using crypto.subtle.importKey() and crypto.subtle.sign(). Your message and secret key stay on your device β€” they are never uploaded, logged, or stored. You can compute HMACs entirely offline.

Choosing an algorithm

  • HMAC-SHA256 β€” the modern default; widely supported and a safe choice for new systems.
  • HMAC-SHA384 / SHA512 β€” longer tags for extra margin.
  • HMAC-SHA1 β€” for legacy compatibility only; avoid it in new designs.

Keep your secret key long and random β€” generate one with our token generator. When you only need an unkeyed fingerprint of some data, use the hash generator instead. HMAC also underpins the certificates and handshakes explained in what TLS/SSL is. This tool treats both the message and key as UTF-8 text.

Frequently asked questions

What is an HMAC?

HMAC (Hash-based Message Authentication Code) combines a message with a secret key and a hash function to produce a tag. Anyone who knows the key can verify that the message is authentic and unchanged, but nobody can forge a valid tag without the key.

How is HMAC different from a plain hash?

A plain hash proves a message was not altered, but anyone can compute it, so it does not prove who sent it. HMAC mixes in a shared secret key, so a matching tag also authenticates the sender. It is the standard way to sign API requests and webhooks.

Is my message or key sent anywhere?

No. The HMAC is computed in your browser with crypto.subtle.importKey and crypto.subtle.sign. Your message and secret key never leave your device β€” nothing is uploaded, logged, or stored, and it works offline.

Which hash algorithm should I choose?

HMAC-SHA256 is the modern default and a good choice for most systems. SHA-384 and SHA-512 give longer tags; SHA-1 is offered only for compatibility with legacy systems and should be avoided for new designs.

Want the theory? Read the guides β†’ Β· Visit the zoo β†’