HMAC Generator
Generate HMAC signatures using different algorithms. Enter your message, secret key, and select an algorithm to get the HMAC hash.
HMAC Signatures
HMAC (Hash-based Message Authentication Code) combines a message with a secret key to produce a signature. Only someone with the key can generate or verify the signature. This proves both data integrity and authenticity.
Used in API authentication, webhook verification, and secure communications. The sender and receiver share a secret key; the sender attaches an HMAC to messages; the receiver verifies it matches.
How It Works
- Combine message + secret key
- Hash with chosen algorithm (SHA-256, etc.)
- Result is the HMAC signature
Understanding HMAC
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a signature. Unlike a simple hash, HMAC proves both that the message wasn't altered AND that it came from someone who knows the secret key. The formula is: HMAC = Hash((Key XOR opad) || Hash((Key XOR ipad) || Message)).
HMACs are widely used in APIs, JWT signatures, cookie validation, and any system needing message authentication. AWS, Stripe, GitHub, and most major APIs use HMAC-SHA256 to sign requests, preventing tampering and verifying the sender's identity without exposing the secret key.
When Developers Actually Use This
Hashing comes up constantly in backend development, often in ways that aren't immediately obvious. The most common scenario is verifying file integrity — if you're distributing a build artifact, a configuration file, or a data export, generating a SHA-256 hash of the file before sending it lets the recipient confirm the file wasn't corrupted or tampered with in transit. Package managers like npm and pip do this automatically, but for manual file transfers or custom deployment scripts, you often need to generate and verify these hashes yourself.
Another frequent use is working with webhook signatures. Services like GitHub, Stripe, and Twilio sign their webhook payloads using HMAC-SHA256 — they compute a hash of the request body using a shared secret and include it in a header. To verify the webhook is genuinely from them and not a spoofed request, you compute the same hash on your end and compare. Testing this verification logic requires being able to generate the expected hash for a known payload and secret, which is exactly what the HMAC generator here supports. MD5 is also still commonly used for generating cache keys and ETags, even though it's no longer suitable for security-critical applications.
Frequently Asked Questions
What's the difference between HMAC and a regular hash?
A regular hash like SHA-256 only verifies data integrityanyone can compute the same hash. HMAC requires a secret key, so only parties with the key can create or verify the signature. This authenticates the sender as well as the message.
Which algorithm should I use?
HMAC-SHA256 is the industry standard for new applications. Avoid MD5 and SHA-1 for new projects due to known weaknesses. SHA-384 and SHA-512 offer extra security for high-value applications but are slower. SHA-256 provides an excellent balance.
How long should my secret key be?
Keys should be at least as long as the hash output32 bytes (256 bits) for SHA-256. Use cryptographically random key generation. Never use predictable values like passwords. Store keys securely, never in code or version control.
How do I verify an HMAC signature?
Compute the HMAC of the received message using your shared secret key, then compare it to the provided signature. Use constant-time comparison to prevent timing attacks. If they match, the message is authentic and unmodified.
What's a timing attack?
Regular string comparison stops at the first different character, leaking information about correct characters through response time. Attackers can exploit this to guess signatures character by character. Constant-time comparison (like hash_equals in PHP) always takes the same time regardless of match position.
Is HMAC the same as encryption?
No! HMAC provides authentication (proves the message is from someone with the key) and integrity (detects tampering), but the message content remains readable. For confidentiality, you need encryption. Many systems use both: encrypt for privacy, then HMAC for authentication.
Where are HMACs commonly used?
API request signing (AWS, Stripe, webhooks), JWT signatures, cookie authentication, OAuth implementations, and any system where message authenticity matters. They're fundamental to modern web security infrastructure.