HMAC Generator

Generate Hash-based Message Authentication Codes (HMAC) with SHA-256, SHA-384, or SHA-512. Used to sign API requests, verify webhook payloads, and authenticate messages between two parties sharing a secret. WebCrypto-backed.

What HMAC is for

HMAC proves two things about a message: it came from someone who knows the secret key, and it hasn't been tampered with in transit. Both sender and receiver share a secret; the sender computes HMAC(message, secret) and includes it; the receiver computes the same and compares. If they match, the message is authentic.

Webhook verification is the most common use. GitHub, Stripe, Twilio, and others sign their webhook payloads with an HMAC over a shared secret. Your server recomputes the HMAC over the received body and compares. If they don't match, the webhook was forged or tampered — reject it.

Picking an algorithm

HMAC-SHA-256 is the modern default — supported everywhere, fast, secure. HMAC-SHA-512 is sometimes preferred on 64-bit servers where it's actually slightly faster than SHA-256 due to wider native word size. HMAC-SHA-1 is still cryptographically secure (HMAC's construction protects against SHA-1's collision weakness) but most new systems use SHA-256+ to avoid concerns and to align with the rest of the cryptographic stack.

Key length

HMAC keys should be at least as long as the hash digest: 32 bytes for HMAC-SHA-256, 48 for SHA-384, 64 for SHA-512. Shorter keys are weaker. Don't use a low-entropy password as an HMAC key; derive the key from a password using HKDF or PBKDF2 first.