Search tools

Find a tool by name or what it does.

HMAC Generator

Compute an HMAC of a message with your secret key using SHA-256, SHA-1, SHA-384, or SHA-512, in hex and Base64.

Signed live as you type. Nothing leaves your browser.

Key encoding

An empty key is allowed. Whitespace is ignored for hex and Base64 keys.

Hash function

Hex case

Message authentication code

Enter a message and the authentication code will appear here in hex and Base64.

The message and secret key are processed in your browser. Nothing is uploaded.

How to generate an HMAC online

  1. Enter your message and key

    Type or paste the message you want to authenticate, then enter the secret key that both sides share.

  2. Pick the hash and key encoding

    Choose SHA-256, SHA-1, SHA-384, or SHA-512, and set whether your key is plain text, hexadecimal, or Base64.

  3. Read the code in hex and Base64

    The keyed hash appears in both hexadecimal and Base64 the moment there is input, with no button to press.

  4. Copy the result

    Use the copy button on either encoding, or copy both at once to paste into a request, header, or config file.

Why use this tool

Four hash functions

Compute the keyed hash with SHA-256, SHA-1, SHA-384, or SHA-512 and switch between them instantly, so you can match whatever a server or webhook expects.

Hex and Base64 side by side

Every result is shown in both hexadecimal and Base64 at once, each with its own copy button, so you never have to convert the output by hand.

Keys as text, hex, or Base64

Enter the secret key however it is stored. Plain text, hexadecimal, and Base64 keys are all decoded before signing, and an empty key is accepted.

Clear errors on bad keys

A hex key with an odd length or a malformed Base64 key is flagged with a plain explanation instead of a silent, wrong result.

Automatic, no button to press

The code recomputes a moment after you change the message, key, or options, with no compute step and no server round trip to wait on.

Runs entirely in your browser

The message and secret key stay on your device. Nothing is uploaded, logged, or stored after you leave.

About this tool

An HMAC, or hash-based message authentication code, proves that a message came from someone holding a shared secret key and that it was not changed along the way. This tool takes a message and a secret key, runs them through SHA-256, SHA-1, SHA-384, or SHA-512, and shows the resulting code in both hexadecimal and Base64. Everything is computed locally, and the output updates the moment you change the message, the key, or the options.

Reach for it when you are building or debugging anything that signs requests: verifying a webhook signature from a payment or chat platform, generating an authorization header for an API, or confirming a token was signed with the key you expect. The secret key can be entered as plain text, as hexadecimal, or as Base64, whichever form your platform documents, and an empty key is accepted. A hex key must have an even number of characters, and an invalid key is reported rather than quietly producing the wrong code. If you only need a plain digest with no key, use the hash generator; to inspect a signed token instead of creating a code, see the JWT decoder.

HMAC with SHA-256 or SHA-512 is a standard building block for request signing and webhook verification, while SHA-1 still appears in older integrations. Because the work happens in your browser, production keys and payloads you paste in never travel anywhere. The Base64 output is ready to drop into a header or JSON field, and you can encode or decode other data with the Base64 tool.

Frequently asked questions

What is an HMAC?
An HMAC (hash-based message authentication code) combines a message with a secret key to produce a short code. Anyone holding the same key can recompute the code to confirm the message is authentic and unchanged. It is widely used to sign API requests and verify webhooks.
Which hash functions can I use?
You can compute the code with SHA-256, SHA-1, SHA-384, or SHA-512. SHA-256 is the common default for request signing and webhooks; pick the one your server or provider specifies.
How do I enter my secret key?
Type or paste the key, then choose whether it is plain text, hexadecimal, or Base64 so it is decoded correctly before signing. Spaces are ignored for hex and Base64 keys, and an empty key is accepted.
Why does my hex key show an error?
A hexadecimal key must have an even number of characters, because every byte is written as two characters, and it may only contain 0 to 9 and A to F. If the length is odd or a character is out of range, the tool explains the problem instead of returning a wrong code. Switch the key encoding to plain text if the key is not actually hex.
Is my message or key uploaded anywhere?
No. Everything runs in your browser; nothing is sent to a server. The message, the secret key, and the resulting code never leave your device and are not stored or logged.
Is HMAC the same as a plain hash?
No. A plain hash such as SHA-256 depends only on the message, so anyone can compute it. An HMAC also mixes in a secret key, so only holders of that key can produce or verify the code. For a keyless digest or checksum, use the hash generator instead.

Related tools