DevToolbox

HMAC Generator

Compute HMAC signatures using MD5, SHA-1, SHA-256, SHA-384, and SHA-512 with hex or Base64 output.

About This Tool

The HMAC Generator computes Hash-based Message Authentication Codes (HMACs) for any text message using a secret key. It calculates all five algorithms simultaneously — HMAC-MD5, HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 — so you can compare results and choose the right one for your use case without switching tools.

HMAC combines a cryptographic hash function with a secret key to produce a message authentication code. Unlike plain hashing, HMAC provides both data integrity and authentication: only someone who knows the secret key can produce a valid HMAC for a given message. This makes HMAC essential for API signature verification, webhook validation, and token generation. If you need to verify JWTs that use HMAC signing, check out the JWT Decoder.

The SHA-based algorithms (SHA-1, SHA-256, SHA-384, SHA-512) are computed using the browser's built-in Web Crypto API, which provides hardware-accelerated, constant-time implementations. HMAC-MD5 is computed using a manual HMAC construction on top of the spark-md5 library, following the standard RFC 2104 definition: H(K XOR opad || H(K XOR ipad || message)). While MD5 is considered cryptographically weak for standalone hashing, HMAC-MD5 remains secure against known attacks in most practical scenarios. For plain hash digests without a key, use the Hash Generator.

All processing happens entirely in your browser. Your message and secret key are never transmitted to any server. You can toggle the output format between hexadecimal and Base64 encoding to match whatever format your API or system expects.

How to Use

  1. Type or paste your message into the Message textarea.
  2. Enter your secret key in the Secret Key field.
  3. All five HMAC results (MD5, SHA-1, SHA-256, SHA-384, SHA-512) appear automatically as you type.
  4. Toggle between Hex and Base64 output format using the badges at the top.
  5. Click the copy icon next to any result to copy it to your clipboard.
  6. Use the Sample button to load an example message and key for testing.
  7. Press Ctrl+Shift+C to quickly copy the HMAC-SHA256 result.

FAQ

Is my data safe?

Yes. All HMAC computation runs entirely in your browser using the Web Crypto API and the spark-md5 library. Your message and secret key are never sent to any server. You can verify this by checking the Network tab in your browser's developer tools.

What is the difference between HMAC and a regular hash?

A regular hash (like SHA-256) produces a digest from a message alone — anyone can compute it. HMAC combines the hash with a secret key, so only parties who know the key can produce or verify the code. This provides authentication in addition to integrity checking.

Which HMAC algorithm should I use?

For most modern applications, HMAC-SHA256 is the recommended choice. It provides strong security and is widely supported. HMAC-SHA512 offers a larger output for extra margin. HMAC-SHA1 and HMAC-MD5 are included for legacy compatibility but should be avoided in new designs.

Is HMAC-MD5 secure?

While MD5 itself has known collision vulnerabilities, HMAC-MD5 is not directly affected by collision attacks due to the keyed construction. It remains secure against known practical attacks. However, for new systems, HMAC-SHA256 or HMAC-SHA512 is preferred.

What is the difference between hex and Base64 output?

Both represent the same binary HMAC output in text form. Hex uses characters 0-9 and a-f, producing a longer string. Base64 uses A-Z, a-z, 0-9, +, and /, producing a shorter string. Choose whichever format your API or system expects.

Can I use this for webhook signature verification?

Yes. Many services (Stripe, GitHub, Slack) sign webhook payloads with HMAC-SHA256. You can paste the webhook body as the message and your webhook secret as the key, then compare the computed HMAC with the signature header sent by the service.

Related Tools

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes for text and files.

JWT Decoder

Decode JSON Web Tokens to inspect header, payload, and verify signatures.

JWT Generator

Generate JSON Web Tokens with custom payloads and HMAC signing. Set claims, expiration, and copy the signed JWT.

Password Generator

Generate secure passwords and passphrases with entropy-based strength analysis.

Text Encrypt / Decrypt

Encrypt and decrypt text with AES-256-GCM using a password. All processing in your browser.