What is HMAC?
HMAC (Hash-based Message Authentication Code) is a cryptographic authentication technique that combines a secret key with a message using a hash function to produce a unique authentication code. HMAC provides both data integrity verification and authentication, ensuring that messages haven't been tampered with and confirming the identity of the sender. Our free online HMAC generator supports popular algorithms including HMAC-SHA256, HMAC-SHA512, HMAC-SHA1, and HMAC-MD5 for various security and authentication needs.
Key Features of Our HMAC Generator
🔐 Multiple Algorithms
Support for HMAC-SHA256, SHA512, SHA1, and MD5 algorithms.
📊 Multiple Formats
Output in hexadecimal or Base64 format based on your needs.
⚡ Instant Generation
Generate HMAC codes instantly in your browser without delays.
🔒 Secure Processing
All computations happen locally - your keys never leave your browser.
📋 Easy Copy
One-click copy functionality to quickly use generated HMACs.
🎯 API Testing
Perfect for testing API authentication and webhook signatures.
How to Use the HMAC Generator
- Enter Message: Type or paste the message/data you want to authenticate in the message field.
- Enter Secret Key: Provide your secret key (shared between sender and receiver).
- Select Algorithm: Choose your preferred algorithm (SHA-256 is recommended for most uses).
- Choose Format: Select hexadecimal or Base64 output format.
- Generate: Click "Generate HMAC" to create your authentication code.
- Copy Result: Use the copy button to quickly copy the HMAC to your clipboard.
Why Use HMAC?
HMAC is essential for modern secure communications and provides several critical benefits:
- Message Authentication: Verify that messages come from legitimate senders with access to the secret key
- Data Integrity: Detect any modifications or tampering with transmitted data
- API Security: Authenticate API requests and prevent unauthorized access
- Webhook Verification: Confirm webhook payloads are from trusted sources
- Digital Signatures: Create lightweight signatures for messages and documents
- Token Generation: Generate secure tokens for session management and authentication
- Password Security: Derive secure keys for password-based authentication systems
How HMAC Works
HMAC combines cryptographic hash functions with secret keys using a specific construction:
- The secret key is padded or hashed to match the block size of the hash function
- The key is XORed with inner and outer padding constants
- The message is concatenated with the inner padded key and hashed
- The result is concatenated with the outer padded key and hashed again
- The final hash is the HMAC authentication code
HMAC Formula:
HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m))
Where K is the key, m is the message, H is the hash function, ⊕ is XOR, || is concatenation, opad and ipad are padding constants.
Supported HMAC Algorithms
HMAC-SHA256 (Recommended)
- 256-bit hash output (64 hex characters)
- Currently the industry standard for secure applications
- Excellent balance of security and performance
- Used by AWS, GitHub, Stripe, and major platforms
- Resistant to known cryptographic attacks
HMAC-SHA512
- 512-bit hash output (128 hex characters)
- Higher security margin than SHA-256
- Better for long-term security requirements
- Slightly slower but more secure
- Recommended for highly sensitive applications
HMAC-SHA1
- 160-bit hash output (40 hex characters)
- Widely supported for legacy compatibility
- Still secure for HMAC use (unlike plain SHA-1)
- Being phased out in favor of SHA-256
- Use only when required for backward compatibility
HMAC-MD5
- 128-bit hash output (32 hex characters)
- Legacy algorithm, avoid for new implementations
- Faster but less secure than SHA variants
- Still secure for HMAC (unlike plain MD5)
- Only use when specifically required
Common HMAC Use Cases
API Authentication
HMAC is widely used to authenticate API requests:
- Sign API requests with HMAC using API secret key
- Server verifies HMAC to authenticate the request
- Prevents tampering with request parameters
- Used by AWS Signature V4, OAuth 1.0, and many REST APIs
Webhook Security
Verify webhook payloads are from trusted sources:
- Service generates HMAC of webhook payload using shared secret
- HMAC included in webhook headers (e.g., X-Hub-Signature)
- Receiver verifies HMAC to confirm authenticity
- Used by GitHub, Stripe, PayPal, and other platforms
Session Token Generation
- Create secure session tokens and cookies
- Verify token integrity without database lookups
- Detect tampered or forged session data
- Lightweight alternative to JWT for simple cases
Password Storage Enhancement
- Additional layer of security for password hashing
- HMAC passwords before standard hashing
- Protects against rainbow table attacks
- Server-side secret adds security even if database is compromised
HMAC Best Practices
- Use SHA-256 or Higher: Prefer HMAC-SHA256 or HMAC-SHA512 for new implementations
- Strong Secret Keys: Use cryptographically random keys of at least 256 bits
- Keep Keys Secret: Never expose secret keys in client-side code or public repositories
- Key Rotation: Regularly rotate secret keys and update systems
- Constant-Time Comparison: Use timing-safe comparison to prevent timing attacks
- Include Timestamps: Add timestamps to messages to prevent replay attacks
- Use HTTPS: Always transmit HMACs over secure connections
- Version Keys: Include key version identifiers for smooth key rotation
HMAC vs Other Authentication Methods
HMAC vs Digital Signatures
- HMAC: Symmetric (same key for signing and verification), faster, simpler
- Digital Signatures: Asymmetric (different keys), non-repudiation, public verification
- Use HMAC when: Sender and receiver can share a secret key securely
- Use Signatures when: Need public verification or non-repudiation
HMAC vs JWT
- HMAC: Simple authentication code, lightweight, requires external data structure
- JWT: Self-contained tokens with claims, includes data payload, base64 encoded
- Use HMAC when: Need simple message authentication
- Use JWT when: Need stateless authentication with embedded claims
Security Considerations
- Key Length: Use keys at least as long as the hash output (256 bits for SHA-256)
- Key Storage: Store keys securely using key management systems or environment variables
- Timing Attacks: Always use constant-time comparison functions to verify HMACs
- Replay Prevention: Include nonces or timestamps in messages to prevent replay attacks
- Key Scope: Use different keys for different purposes or services
- Truncation: Avoid truncating HMAC output as it reduces security
Example: API Request Signing
Example API Request:
POST /api/transfer
Content-Type: application/json
{
"amount": 100.00,
"to_account": "12345",
"timestamp": "2025-11-01T12:00:00Z"
}
HMAC Signature Process:
- Concatenate: method + path + timestamp + body
- Generate: HMAC-SHA256 using secret key
- Add header: X-Signature:
- Server verifies HMAC using same secret key
HMAC in Programming Languages
Most programming languages provide built-in HMAC support:
- Python: hmac module - hmac.new(key, msg, hashlib.sha256)
- JavaScript/Node.js: crypto module - crypto.createHmac('sha256', key)
- PHP: hash_hmac() function - hash_hmac('sha256', $data, $key)
- Java: javax.crypto.Mac class - Mac.getInstance("HmacSHA256")
- Ruby: OpenSSL::HMAC - OpenSSL::HMAC.hexdigest('sha256', key, data)
- Go: crypto/hmac package - hmac.New(sha256.New, key)
Tools Security and Privacy
Your security is our priority:
- All HMAC generation happens entirely in your browser using JavaScript
- No data is transmitted to any server or stored anywhere
- Your secret keys and messages remain completely private
- Safe to use with production keys and sensitive data
- No tracking, logging, or data collection
- Works offline once the page is loaded