HMAC
HMAC Generator
Runs in your browser using WebCrypto — no network requests.
Output
HMAC size: 32 bytes
HMAC (SHA-256)
—
What HMAC is
HMAC combines a secret key and a hash (like SHA-256) to produce a tag you can use to verify the message was not altered and came from someone who knows the secret.
Good defaults
- Use HMAC-SHA-256 unless you have a reason to pick something else.
- Use a random key (32 bytes or more) for API signing.
- Send the message and HMAC; keep the secret private.
Quick verification examples
OpenSSL (hex output)
printf '%s' "message" | openssl dgst -sha256 -hmac "secret"Node.js (base64 output)
node -e "console.log(require('crypto').createHmac('sha256','secret').update('message').digest('base64'))"How it works
Uses WebCrypto to compute an HMAC over your input with the chosen hash and secret, then formats the tag as hex or Base64. Everything runs locally.
- HMAC authenticates data integrity, it does not encrypt the message.
- Keep the secret key private; anyone with the key can forge tags.
Quick examples
Switch encoding to match your protocol.
Mini FAQ
Which hash should I pick?
SHA-256 is a solid default; SHA-512 for extra margin.
Can I reuse the secret?
Use distinct keys per system; rotate periodically.
Why is Base64 output shorter?
Base64 is compact encoding; hash strength stays the same.
Related tools