HMAC Generator Online
Generate an HMAC signature from a message and secret key with SHA-256, SHA-1, SHA-384, or SHA-512 in your browser. Your key stays local.
The HMAC Generator runs entirely in your browser using the Web Crypto API. The message you sign and the secret key you enter never leave your device and are not uploaded to ArrayKit.
Open the Hash Generator
About HMAC Generator
The HMAC Generator signs a message with a secret key to produce a keyed hash — the same authentication code your API or webhook uses to prove a payload was not tampered with. Type or paste the message and the secret, pick SHA-256, SHA-1, SHA-384, or SHA-512, and read the signature back as both hex and Base64. The key can be plain UTF-8 text or a hex-encoded byte string, so it lines up with whatever your server expects. It is built for developers verifying webhook signatures, wiring up signed request headers, testing an API's HMAC scheme, or checking a value against library output. Everything is computed on your device with the Web Crypto API — the message and secret key never leave your browser.
Features
- Sign any message with a secret key and read the HMAC instantly
- Toggle between SHA-256, SHA-1, SHA-384, and SHA-512 hash functions
- See the signature as lowercase hex and standard Base64 side by side
- Enter the secret key as UTF-8 text or as a hex-encoded byte string
- Matches server-side and library HMAC output byte for byte
- Copy the hex or Base64 signature with a single click
- Clear error when a hex key has odd length or non-hex characters
- Runs on your device via the Web Crypto API with nothing uploaded
How to use the HMAC Generator
- Choose the hash algorithm your service uses (SHA-256 is the most common)
- Type or paste the message you want to authenticate
- Enter the secret key and pick UTF-8 or Hex to match its format
- Read the HMAC as hex or Base64 and copy the value you need
Example
Input
message: The quick brown fox jumps over the lazy dog
key: key (UTF-8)
algorithm: SHA-256
Output
hex: f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8
base64: 97yD9DBThCSxMpjmqm+xQ+9NWaFJRhdZl0edvC0aPNg=
HMAC-SHA256 of the classic fox sentence, keyed with "key".
Common errors & troubleshooting
- The signature does not match what my server produces. — Confirm you picked the same hash (SHA-256 vs SHA-1) and the same key format. A key like a0b1c2 is different as raw UTF-8 text than as hex bytes — switch the Hex toggle to match how the server reads it.
- Error: Hex key must have an even number of digits. — In Hex key mode every byte is two hex characters, so the key length must be even. Remove any stray character or add the missing digit, or switch to UTF-8 mode if the key is really text.
- The API wants the signature as Base64 but I only have the hex. — You do not need to convert anything — this tool shows the same signature as both hex and Base64. Copy the Base64 value directly from the second row.
- Trailing newline or spaces change the result. — HMAC covers every byte of the message, so a trailing newline or space produces a different code. Sign the exact bytes your service sends, with no added whitespace.
Frequently asked questions
- What does this HMAC Generator compute?
- It computes a keyed-hash message authentication code: it combines your message with a secret key under a hash function (SHA-256, SHA-1, SHA-384, or SHA-512) and returns the resulting signature as hex and Base64. Anyone with the same key can recompute it to verify the message.
- Should I enter my key as UTF-8 or hex?
- Match how your service stores the key. If the secret is a normal string or passphrase, use UTF-8. If it is a sequence of hex bytes (common for randomly generated keys), switch to Hex so the exact same bytes are used — the two produce different signatures.
- Which HMAC algorithm should I pick?
- HMAC-SHA256 is the default for most APIs and webhooks. Choose SHA-384 or SHA-512 for a longer signature, or SHA-1 only when you must match an older system, since SHA-1 is considered weak for new designs.
- How do I verify a webhook signature with this?
- Paste the raw webhook payload as the message, enter the shared signing secret as the key, pick the algorithm the provider documents, and compare the hex or Base64 output against the signature header they sent. A match confirms the payload is authentic and unmodified.
- Does my message or secret key get uploaded anywhere?
- No. The HMAC is computed in your browser with the Web Crypto API. The message you sign and the secret key you enter never leave your device and are not sent to ArrayKit or any server.
- Why is the output in both hex and Base64?
- Different services encode the same HMAC bytes differently — some headers use lowercase hex, others use Base64. This tool shows both encodings of the identical signature so you can copy whichever format your API expects without converting by hand.
Related tools
- Hash Generator — SHA-256 / SHA-1 / SHA-384 / SHA-512 via the Web Crypto API.
- JWT Signer — Create and sign a JWT (HS256/384/512) from a payload and secret — Web Crypto.
- JWT Decoder — Decode JWT header & payload and inspect exp / iat (no verification).
- Bcrypt Generator — Hash a password with bcrypt and verify a password against a bcrypt hash, in your browser.
- TOTP / 2FA Generator — Generate time-based one-time passwords (2FA codes) from a base32 secret.
- Base64 Encode / Decode — UTF-8 safe Base64 encoding and decoding.
All ArrayKit tools