HMAC Generator Online

Generate an HMAC signature from a message and secret key with SHA-256, SHA-1, SHA-384, or SHA-512 in your browser. Your key stays local.

The HMAC Generator runs entirely in your browser using the Web Crypto API. The message you sign and the secret key you enter never leave your device and are not uploaded to ArrayKit.

Open the Hash Generator

About HMAC Generator

The HMAC Generator signs a message with a secret key to produce a keyed hash — the same authentication code your API or webhook uses to prove a payload was not tampered with. Type or paste the message and the secret, pick SHA-256, SHA-1, SHA-384, or SHA-512, and read the signature back as both hex and Base64. The key can be plain UTF-8 text or a hex-encoded byte string, so it lines up with whatever your server expects. It is built for developers verifying webhook signatures, wiring up signed request headers, testing an API's HMAC scheme, or checking a value against library output. Everything is computed on your device with the Web Crypto API — the message and secret key never leave your browser.

Features

How to use the HMAC Generator

  1. Choose the hash algorithm your service uses (SHA-256 is the most common)
  2. Type or paste the message you want to authenticate
  3. Enter the secret key and pick UTF-8 or Hex to match its format
  4. Read the HMAC as hex or Base64 and copy the value you need

Example

Input

message: The quick brown fox jumps over the lazy dog
key: key (UTF-8)
algorithm: SHA-256

Output

hex:    f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8
base64: 97yD9DBThCSxMpjmqm+xQ+9NWaFJRhdZl0edvC0aPNg=

HMAC-SHA256 of the classic fox sentence, keyed with "key".

Common errors & troubleshooting

Frequently asked questions

What does this HMAC Generator compute?
It computes a keyed-hash message authentication code: it combines your message with a secret key under a hash function (SHA-256, SHA-1, SHA-384, or SHA-512) and returns the resulting signature as hex and Base64. Anyone with the same key can recompute it to verify the message.
Should I enter my key as UTF-8 or hex?
Match how your service stores the key. If the secret is a normal string or passphrase, use UTF-8. If it is a sequence of hex bytes (common for randomly generated keys), switch to Hex so the exact same bytes are used — the two produce different signatures.
Which HMAC algorithm should I pick?
HMAC-SHA256 is the default for most APIs and webhooks. Choose SHA-384 or SHA-512 for a longer signature, or SHA-1 only when you must match an older system, since SHA-1 is considered weak for new designs.
How do I verify a webhook signature with this?
Paste the raw webhook payload as the message, enter the shared signing secret as the key, pick the algorithm the provider documents, and compare the hex or Base64 output against the signature header they sent. A match confirms the payload is authentic and unmodified.
Does my message or secret key get uploaded anywhere?
No. The HMAC is computed in your browser with the Web Crypto API. The message you sign and the secret key you enter never leave your device and are not sent to ArrayKit or any server.
Why is the output in both hex and Base64?
Different services encode the same HMAC bytes differently — some headers use lowercase hex, others use Base64. This tool shows both encodings of the identical signature so you can copy whichever format your API expects without converting by hand.

Related tools

All ArrayKit tools