HMAC Generator: Sign & Verify Messages Online
ยท 7 min read
If you have ever integrated a webhook from Stripe or GitHub, you already know the drill: the provider sends a request with a signature header, and your server must recompute the same signature to verify the payload has not been tampered with. That signature is almost always an HMAC. Whether you are debugging a webhook, building an API, or just learning how message authentication works, having a fast, trustworthy tool to generate HMAC signatures on demand saves a lot of time.
Our free HMAC Generator lets you produce HMAC-SHA256, SHA-512, SHA-1, and MD5 signatures directly in your browser โ no account required, and your secret key never leaves your device.
What Is HMAC and How Is It Different from a Plain Hash?
A hash function like SHA-256 takes an input and produces a fixed-length fingerprint. The problem is that anyone who knows the algorithm (and everyone does) can reproduce that fingerprint. If an attacker intercepts a message and recomputes its hash, they can substitute a different message with a matching hash, and your server would have no way to tell the difference.
HMAC โ Hash-based Message Authentication Code โ solves this by mixing a secret key into the hashing process. The algorithm, defined in RFC 2104, applies the hash function twice with the key material, producing a tag that can only be reproduced by someone who holds the same secret. The result is both a proof of integrity (the message was not altered) and authenticity (only someone with the secret could have produced the tag).
In short:
| Plain Hash | HMAC | |
|---|---|---|
| Needs a secret key | No | Yes |
| Proves message integrity | Yes | Yes |
| Proves message authenticity | No | Yes |
| Replay-attack resistant (with nonce/timestamp) | No | Yes |
Why Use an Online HMAC Generator?
Generating an HMAC from the command line or inside a script is straightforward โ once you remember the exact openssl flags or the correct Python import. In practice, developers reach for a browser tool when they need to:
- Quickly verify a webhook signature during debugging without spinning up a script.
- Cross-check an implementation to make sure their code produces the correct output.
- Explore different algorithms (SHA-256 vs SHA-512) to understand how output length varies.
- Share a reproducible example with a colleague without pushing code.
Because our HMAC Generator runs entirely client-side, you get all these benefits without any privacy trade-off. The computation happens inside your browser using the Web Crypto API; the message and secret key are never transmitted to any server.
How to Generate an HMAC Signature โ Step by Step
Getting a result takes less than thirty seconds:
- Open the tool. Navigate to the HMAC Generator. No login, no extension to install.
- Paste your message. This is the payload you want to authenticate โ a JSON body, a query string, a plain string, or any text.
- Enter your secret key. Type or paste the shared secret provided by the platform you are integrating with (or your own secret if you are the signer).
- Select the algorithm. Choose from HMAC-SHA256 (recommended), HMAC-SHA512, HMAC-SHA1, or HMAC-MD5 depending on what the target system expects.
- Copy the output. The hex-encoded signature appears instantly. Use the copy button and paste it wherever you need it.
That is it. No "Generate" button to click โ the output updates in real time as you type.
Common Use Cases
Webhook Signature Verification
Services like Stripe, GitHub, Shopify, and Twilio all sign outgoing webhook payloads with HMAC-SHA256. When your endpoint receives the request, it recomputes the HMAC using the raw body and your webhook secret, then compares it against the signature in the request header. If they match, the payload is genuine.
Use the HMAC Generator to manually reproduce this check during local development or when a webhook is failing in production and you want to isolate whether the issue is with the signature logic or the payload itself.
API Request Signing
Many internal and third-party APIs require each request to include an HMAC of the request parameters plus a timestamp. This prevents replay attacks and ensures that requests come from an authorized client. The generator is handy for prototyping the signing logic before you encode it into your SDK or middleware.
Message Integrity in Distributed Systems
When services communicate over a message queue (Kafka, RabbitMQ, SQS), producers can attach an HMAC tag alongside each message. Consumers verify the tag before processing. This guards against corrupted messages or rogue producers that do not hold the shared secret.
Learning and Teaching
HMAC is a foundational concept in applied cryptography. Running live experiments โ changing one character in the message and watching the output change completely โ is one of the fastest ways to build intuition about how the algorithm behaves.
Tips and Best Practices
Prefer HMAC-SHA256. SHA-256 strikes the right balance between security and performance. HMAC-SHA512 offers a longer tag (useful when the additional length matters), while HMAC-SHA1 and HMAC-MD5 are supported mainly for legacy compatibility. Avoid MD5 and SHA-1 for new systems; neither hash function is considered collision-resistant by modern standards.
Keep your secret key private. The entire security guarantee of HMAC rests on the secrecy of the key. Store it in environment variables or a secrets manager, never in source code or version control. Rotate it periodically and immediately if you suspect it has been exposed.
Use a sufficiently long, random key. A key shorter than the hash output length weakens the construction. Aim for at least 32 bytes (256 bits) of random data generated by a cryptographically secure random number generator.
Always compare signatures in constant time. When verifying an HMAC in your own code, use a timing-safe comparison function (like hmac.compare_digest in Python or crypto.timingSafeEqual in Node.js). Byte-by-byte comparison short-circuits on the first mismatch, leaking timing information that can be exploited.
Include a timestamp. HMAC alone does not prevent replay attacks. Combine the signature with a timestamp in the signed payload and reject requests older than a small window (typically 5 minutes).
Common Mistakes to Avoid
- Signing the wrong data. Stripe, for example, requires you to sign the raw request body, not a parsed JSON object. Parsing and re-serializing can silently change whitespace or key ordering, causing a signature mismatch.
- Encoding the key incorrectly. Some platforms provide the secret as a hex string, others as plain text, others as base64. Make sure you are feeding the key in the format the platform expects.
- Using the same key across environments. Development, staging, and production should each have distinct secrets. A leaked development key should not compromise production.
- Truncating the output. Shorter tags are easier to handle but reduce security. Unless the protocol explicitly specifies truncation, use the full-length output.
Frequently Asked Questions
What is the difference between HMAC-SHA256 and SHA-256?
SHA-256 is a cryptographic hash function that takes an arbitrary input and produces a 256-bit digest. It requires no key. HMAC-SHA256 uses SHA-256 internally but folds in a secret key at both the inner and outer hash steps, producing a tag that proves both integrity and authenticity.
Is it safe to paste my secret key into an online tool?
With our tool, yes โ because all processing happens inside your browser. The key is never sent over the network. You can verify this by opening your browser's network tab while using the tool; you will see no outbound requests triggered by your input. That said, avoid pasting production secrets into any tool running on a machine you do not fully control.
How do I verify a Stripe webhook signature?
Stripe signs the payload using HMAC-SHA256 with your endpoint's signing secret. The Stripe-Signature header contains a timestamp (t=) and one or more signature values (v1=). To verify manually: build the signed payload string as timestamp + "." + raw_body, compute HMAC-SHA256 using your signing secret, and compare it against the v1 value. Paste that constructed string and secret into the generator to cross-check your implementation.
Can I use this tool for HMAC-SHA512?
Yes. Select SHA-512 from the algorithm dropdown. The output will be a 128-character hex string (512 bits). SHA-512 can be faster than SHA-256 on 64-bit hardware and is preferred in some high-security contexts.
What if I need to hash without a secret key?
If you only need a plain cryptographic hash โ no secret, no authentication โ check out our companion Hash Generator, which supports SHA-256, SHA-512, SHA-1, MD5, and more for straightforward checksum and fingerprinting tasks.
Conclusion
HMAC is one of the most practical tools in a developer's security toolkit, and understanding it well pays dividends every time you integrate a webhook, sign an API request, or design a message-passing system. Getting the signature right the first time โ instead of after an hour of debugging โ starts with having a reliable reference tool at hand.
Try it now: the HMAC Generator is free, requires no signup, and keeps your secrets exactly where they belong โ in your browser, on your machine.