🔐
HMAC Generator
Hash-based Message Authentication Code
💡 Tip: HMAC is a message authentication mechanism based on hash functions and keys. Supports MD5, SHA1, SHA224, SHA256, SHA384, SHA512, SHA3 and RIPEMD160 algorithms.

HMAC Generator - Hash-Based Message Authentication Code

This HMAC (Hash-based Message Authentication Code) generator allows you to create cryptographic signatures for messages using a secret key and hash function. HMAC provides both data integrity and authenticity, making it essential for API authentication, webhook verification, and secure message transmission.

What is HMAC?

HMAC is a specific type of message authentication code that combines a cryptographic hash function with a secret cryptographic key. According to RFC 2104, HMAC can be used with any hash function (MD5, SHA1, SHA256, etc.). The algorithm produces a fixed-size output that depends on both the message content and the secret key, ensuring that any modification to the message or unauthorized access to the key will be detected.

Supported Hash Algorithms

  • 🔐 HMAC-MD5: Fast but cryptographically weak. Use only for legacy compatibility.
  • 🔐 HMAC-SHA1: Deprecated for new applications but still used in some APIs.
  • 🔐 HMAC-SHA256: Recommended for most applications. Good balance of security and performance.
  • 🔐 HMAC-SHA512: Highest security level. Ideal for sensitive data and high-security applications.
  • 🔐 HMAC-SHA384/SHA224: Alternative SHA-2 variants for specific requirements.
  • 🔐 HMAC-SHA3: Latest SHA family standard, resistant to length extension attacks.
  • 🔐 HMAC-RIPEMD160: Used in some blockchain applications and Bitcoin-related systems.

Common Use Cases for HMAC

  • API Authentication: AWS Signature v4, Twitter API, and many REST APIs use HMAC for request signing.
  • Webhook Verification: Verify webhook payloads from services like GitHub, Stripe, and Slack.
  • JWT Signatures: JSON Web Tokens often use HMAC (HS256, HS384, HS512) for token signing.
  • Message Integrity: Ensure messages haven't been tampered with during transmission.
  • File Verification: Verify file integrity with secret-key based checksums.
  • Password Hashing: Some systems use HMAC with key stretching for password storage (though bcrypt/Argon2 are preferred).

How to Use This HMAC Generator

  1. Enter Message: Input the text or data you want to authenticate.
  2. Provide Secret Key: Enter a secret key. Keep this key secure - anyone with the key can generate valid HMACs.
  3. Select Algorithm: Choose a hash function (SHA256 is recommended for most use cases).
  4. Choose Output Format: Select Hex, Base64, Base64url, or Binary format.
  5. Generate HMAC: Click the button to compute the authentication code.

HMAC Security Best Practices

  • Key Security: Keep your secret keys secure. Never commit them to version control or share them publicly.
  • Key Rotation: Implement key rotation policies for production systems to limit exposure if a key is compromised.
  • Algorithm Choice: Use SHA256 or stronger for new applications. Avoid MD5 and SHA1 for security-critical systems.
  • Message Uniqueness: Include timestamps or nonces in messages to prevent replay attacks.

HMAC Algorithm Properties

  • Authentication: Proves the message came from someone who knows the secret key
  • Integrity: Detects any modification to the message during transmission
  • Non-repudiation: Provides evidence that the message was sent by the key holder (with caveats)
  • Fixed Output: Produces output of the same length as the underlying hash function
🔒 Security Note:

This tool performs all HMAC computations entirely in your browser using the Web Crypto API. No data is sent to any server. Remember that HMAC provides message authentication but not encryption. For protecting sensitive data, combine HMAC with encryption. Always use strong, randomly generated keys and never expose them in client-side code.