Home/Security Tools/HMAC generator

HMAC

HMAC Generator

Runs in your browser using WebCrypto — no network requests.

Local only Secret key required
MessageUTF-8
Secret key(not sent anywhere)

Output

HMAC size: 32 bytes

Encoding

HMAC (SHA-256)

What HMAC is

HMAC combines a secret key and a hash (like SHA-256) to produce a tag you can use to verify the message was not altered and came from someone who knows the secret.

Good defaults

  • Use HMAC-SHA-256 unless you have a reason to pick something else.
  • Use a random key (32 bytes or more) for API signing.
  • Send the message and HMAC; keep the secret private.

Quick verification examples

OpenSSL (hex output)

printf '%s' "message" | openssl dgst -sha256 -hmac "secret"

Node.js (base64 output)

node -e "console.log(require('crypto').createHmac('sha256','secret').update('message').digest('base64'))"

How it works

Uses WebCrypto to compute an HMAC over your input with the chosen hash and secret, then formats the tag as hex or Base64. Everything runs locally.

  • HMAC authenticates data integrity, it does not encrypt the message.
  • Keep the secret key private; anyone with the key can forge tags.

Quick examples

API signature
Alg: SHA-256 | Key: 32-byte secret
Output: Base64 tag for header
File integrity
Alg: SHA-512 | Key: build-key
Output: hex tag to compare

Switch encoding to match your protocol.

Mini FAQ

Which hash should I pick?

SHA-256 is a solid default; SHA-512 for extra margin.

Can I reuse the secret?

Use distinct keys per system; rotate periodically.

Why is Base64 output shorter?

Base64 is compact encoding; hash strength stays the same.