Zero Snippet

HMAC generator online — HMAC-SHA256 and HMAC-SHA512 with a secret for webhooks and API signatures

Use this free online HMAC generator to compute HMAC-SHA256 or HMAC-SHA512 over any string you provide, using a shared secret key encoded as UTF-8. The result is a cryptographic authentication tag you can compare to webhook signatures (Stripe, GitHub, Slack-style flows), signed callbacks, or custom API gateways. Copy the digest with the copy icon next to Copy signature; load a local text file into the secret or message fields with Upload file and the upload icon. Everything runs in your browser via the Web Crypto API. When you only need an unkeyed digest of text, use our hash generator for MD5 and SHA-family checksums. For symmetric encryption with a passphrase, see AES encrypt and decrypt.

UTF-8 byte length: 17

UTF-8 byte length: 55

HMAC output

HMAC uses your secret as raw key bytes after UTF-8 encoding. Match the exact payload bytes your provider signs (often the raw HTTP body before parsing). For unkeyed SHA-256 digests of text, use the hash generator tool instead.

What is HMAC and why do developers search for an HMAC calculator?

HMAC (Hash-based Message Authentication Code) combines a secret key with a hash function so that only someone who knows the key can produce the same tag for a given message. Unlike a plain SHA-256 hash, an attacker cannot forge a valid tag from the message alone. Teams look for an HMAC SHA256 online tool when they debug webhook signature verification, compare a header to a locally computed value, or document integration tests that show sample inputs and expected tags. This page focuses on HMAC-SHA256 and HMAC-SHA512 because those are what most modern APIs specify.

Keywords that match this tool include webhook signature generator, API HMAC test, signed request debugging, and UTF-8 HMAC — because byte-for-byte agreement with the provider depends on encoding and on the exact string being signed (often the raw HTTP body before JSON parsing).

How to use this HMAC generator (step by step)

  1. Paste your signing secret into the secret field, or click Upload file to load a UTF-8 key from disk. Use Show to confirm there are no accidental spaces or wrong characters.
  2. Paste the message or payload — for JSON webhooks, that is usually the raw JSON string as received, not pretty-printed unless the provider signs pretty-printed bytes. Upload a file if your fixture lives in a repo.
  3. Choose HMAC-SHA256 or HMAC-SHA512 and whether you need lowercase hexadecimal or Base64 to match documentation (some systems prefix hex with sha256= in headers—add that prefix yourself when comparing).
  4. Click Copy signature (with the copy icon) and paste the value next to your server-side computation or ticket. If the tag does not match, normalize the payload with our JSON formatter only after you confirm whether the signer uses canonical JSON.

HMAC vs plain hashing: when to use each

Use HMAC when two parties share a secret and need to prove authenticity of a message. Use a plain digest from the hash generator for integrity of public content (checksums, cache keys) where no secret is involved. For password storage, use dedicated password hashes (see password strength meter and industry guidance on bcrypt or Argon2), not HMAC of passwords in logs.

Encoding pitfalls: why verification fails even with the “same” JSON

HMAC is computed over bytes. A trailing newline, different Unicode normalization, or re-serialized JSON with another key order changes the tag. If you transport binary inside text, round-trip through Base64 encode and decode only when the protocol says to. Align with your provider’s test vectors before filing a bug.

Privacy and security notes

Signing runs locally; we do not receive your secret or message. For production keys, prefer dedicated secret managers and never paste live credentials into shared screens. For asymmetric signing and key pairs, use the RSA key pair generator when you need public-key workflows instead of shared HMAC secrets.

Related security and encryption tools

Browse the full security and encryption tools section on the home page. Highlights from the catalog:

  • Password Strength MeterScore password entropy, estimate crack time, and get practical hardening tips.
  • bcrypt Hash GeneratorGenerate bcrypt hashes with configurable cost for secure password storage testing.
  • AES Encrypt & DecryptEncrypt and decrypt text with AES-256 and a passphrase—runs fully in your browser.
  • RSA Key Pair GeneratorCreate 1024–4096 bit RSA public/private key pairs locally for demos and dev workflows.
  • CSP BuilderToggle Content-Security-Policy directives and copy a header value ready for your server.
  • Security Headers CheckerAnalyze security-related HTTP headers on any URL with graded guidance to harden responses.
  • JWT EncoderBuild HS256-signed JWTs from custom header and payload for API and auth testing.
  • SSL Certificate DecoderPaste PEM certificates to read subject, issuer, SANs, and validity windows.
  • .htaccess GeneratorAssemble common Apache .htaccess rules for redirects, HTTPS, caching, and access control.

Frequently asked questions

What does this HMAC generator compute?
It computes HMAC-SHA256 or HMAC-SHA512 over your message using a secret key. Both the secret and the message are encoded as UTF-8 bytes before the HMAC step, which matches how most webhook providers document their signatures. You can read the result as lowercase hexadecimal or standard Base64.
Is my secret or message uploaded to a server?
No. The tool uses the Web Crypto API inside your browser tab only. Nothing is sent to our servers for signing. Still avoid pasting production secrets on shared or untrusted machines—screen capture and clipboard history remain risks.
Why does my signature not match the API or webhook?
Usually the payload bytes differ: trailing newlines, pretty-printed JSON vs minified, different UTF-8 normalization, or the service hashes the raw request body while you edited a copy. Some providers prefix the digest (for example sha256=) or use Base64 while others use hex. Confirm the exact message string and encoding their docs specify.
Should I use HMAC-SHA256 or HMAC-SHA512?
HMAC-SHA256 is the default for most webhooks and APIs today. HMAC-SHA512 produces a longer tag and is fine when a platform requires it or you want a larger output with the same keyed construction. Both are keyed hashes; pick what your integration documentation mandates.
How is this different from a plain SHA-256 hash?
A plain SHA-256 hash has no secret: anyone can recompute it from the message. HMAC includes a secret key, so only parties with the key can produce or verify the same tag. Use plain hashes for checksums; use HMAC when you need authenticity with a shared secret.
Can I use a binary key or key imported from Base64?
This page treats the secret field as UTF-8 text, which matches many dev tutorials and test keys. If your service gives you a Base64-encoded key, decode it elsewhere and paste the resulting bytes as extended characters, or use a CLI that imports raw key bytes. Adding raw hex key entry is a possible future enhancement.
What related tools help with signatures and encoding?
Use the hash generator for unkeyed digests, Base64 tools when transports wrap binary, the JSON formatter to inspect canonical payloads before signing, and AES or RSA tools on this site when you need encryption or asymmetric keys instead of symmetric HMAC tags.