> hmac | authenticate | sign <
// Generate HMAC message authentication codes with secret keys
Web Crypto API
Uses the browser's native Web Crypto API for secure HMAC generation. Your data never leaves your browser.
4 Hash Algorithms
Support for HMAC-SHA256, HMAC-SHA1, HMAC-SHA384, and HMAC-SHA512. Choose the algorithm that fits your needs.
Local Processing
100% client-side processing. No server uploads, no data collection, completely free to use.
// ABOUT HMAC
How HMAC Works:
HMAC (Hash-based Message Authentication Code) is defined in RFC 2104. It combines a cryptographic hash function with a secret key to produce a message authentication code. The algorithm uses inner and outer padding (ipad/opad) with the secret key, applying the hash function twice to ensure both data integrity and authenticity.
Example:
HMAC-SHA256("Hello", "secret") → 88aab3ede8d3adf94d26ab90d3bafd4a2083070c3bcce9c014ee04a443847c0b
Common Use Cases:
- >API request authentication and signature verification
- >Webhook payload validation
- >JSON Web Token (JWT) signing
- >Message integrity verification
- >Secure session token generation
>> frequently asked questions
Q: What is HMAC?
A: HMAC (Hash-based Message Authentication Code) is a mechanism for calculating a message authentication code using a cryptographic hash function combined with a secret key. It provides both data integrity and authentication, ensuring the message has not been tampered with and comes from a trusted source.
Q: What is the difference between HMAC and a regular hash?
A: A regular hash (like SHA-256) only provides data integrity — anyone can compute the hash. HMAC adds a secret key, so only parties who know the key can generate or verify the code. This makes HMAC suitable for authentication, while plain hashes are not.
Q: How is HMAC used for API signature verification?
A: Many APIs (such as AWS, Stripe, GitHub webhooks) use HMAC to sign requests. The sender computes an HMAC of the request body using a shared secret key and includes it in the header. The receiver recomputes the HMAC and compares it to verify the request is authentic and unmodified.
Q: Which HMAC algorithm should I use?
A: HMAC-SHA256 is the most widely recommended for general use. HMAC-SHA1 is still used in legacy systems but is being phased out. HMAC-SHA384 and HMAC-SHA512 offer higher security margins for sensitive applications.
Q: How long should the secret key be?
A: The secret key should be at least as long as the hash output (e.g., 32 bytes for HMAC-SHA256). Using a key shorter than the hash output reduces security. Keys longer than the block size are hashed first, so excessively long keys don't add extra security.