Logo

MonoCalc

/

HMAC Generator

Encode/Decode

Mode

Encoding:

Encoding:

About This Tool

🔑 HMAC Generator – Keyed Message Authentication Codes

A Hash-based Message Authentication Code (HMAC) is a cryptographic construction that combines a hash function with a secret key to produce a fixed-length digest that verifies both the integrity and authenticity of a message. Unlike plain hashing, an HMAC digest cannot be forged without knowing the shared secret key.

How HMAC Works

HMAC is defined in RFC 2104 and follows this construction:

HMAC(K, m) = H((K' ⊕ opad) ∥ H((K' ⊕ ipad) ∥ m))

where:
  K'   = key padded or truncated to the hash's block size
  ipad = 0x36 repeated to block size (inner padding)
  opad = 0x5C repeated to block size (outer padding)
  H    = chosen hash function (e.g., SHA-256)
  ∥    = concatenation

The double-hashing structure means even if an attacker knows the inner hash, they cannot compute the outer hash without the key — providing strong protection against length-extension attacks that afflict plain hashes.

Supported Algorithms

AlgorithmDigest SizeBlock SizeSecurity Status
HMAC-MD5128 bits (32 hex chars)512 bits🔴 Legacy — avoid for new systems
HMAC-SHA-1160 bits (40 hex chars)512 bits🟡 Legacy — use for compatibility only
HMAC-SHA-256256 bits (64 hex chars)512 bits🟢 Recommended
HMAC-SHA-384384 bits (96 hex chars)1024 bits🟢 Strong
HMAC-SHA-512512 bits (128 hex chars)1024 bits🟢 Strong

Common Use Cases

API Request Signing

Services like AWS, Stripe, GitHub, and Slack use HMAC-SHA-256 to sign API requests and webhook payloads. The server computes an HMAC of the request body using a shared secret and compares it against the signature in the request header. If they match, the request is authentic.

Webhook Signature Verification

When a webhook arrives at your server, you should always verify its signature before processing. Common webhook headers include:

  • GitHub: X-Hub-Signature-256: sha256=<hex-digest>
  • Stripe: Stripe-Signature: t=<ts>,v1=<digest>
  • Slack: X-Slack-Signature: v0=<hex-digest>

Use the Webhook Verifier mode in this tool to paste the raw request body, your webhook secret, and the received signature. The tool performs a constant-time comparison to tell you if the signature is valid.

Password-Based Authentication Tokens

HMAC is used in TOTP (Time-based One-Time Passwords, RFC 6238) and HOTP (HMAC-based OTP, RFC 4226) algorithms that underpin authenticator apps like Google Authenticator. The secret seed is used as the HMAC key and a time counter as the message.

Output Formats

This tool supports four output encodings for the HMAC digest:

  • Hex (lowercase) — e.g., b94d27b9934d3e08... — the most common format
  • Hex (uppercase) — e.g., B94D27B9934D3E08...
  • Base64 — e.g., uU0nuZNNPgilLl... — compact, used in HTTP headers and JWTs
  • Base64URL — URL-safe variant using - and _ instead of + and /, no padding

Security Best Practices

  • Use HMAC-SHA-256 or stronger for all new implementations
  • Keep secret keys at least as long as the digest size (32+ bytes for SHA-256)
  • Never use the same key for different purposes (key separation principle)
  • Always use constant-time comparison when verifying HMAC values to prevent timing attacks
  • Rotate secret keys periodically and after any suspected compromise

All computations in this tool run entirely in your browser using the crypto-js library — no data is sent to any server.

Frequently Asked Questions

Is the HMAC Generator free?

Yes, HMAC Generator is totally free :)

Can I use the HMAC Generator offline?

Yes, you can install the webapp as PWA.

Is it safe to use HMAC Generator?

Yes, any data related to HMAC Generator only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

What is HMAC and how does this generator work?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a message authentication code. This tool lets you enter a message and secret key, choose an algorithm (MD5, SHA-1, SHA-256, SHA-384, SHA-512), and instantly compute the HMAC digest — all locally in your browser without any server requests.

How is HMAC different from a plain hash?

A plain hash like SHA-256 is deterministic and produces the same output for the same input regardless of any secret. HMAC adds a secret key to the process, so only parties who share the key can generate or verify the authentication code. This makes HMAC suitable for verifying both data integrity AND authenticity, while a plain hash only verifies integrity.

Which HMAC algorithm should I use?

HMAC-SHA-256 is the most widely used choice and offers strong security with compact output. HMAC-SHA-384 and HMAC-SHA-512 provide larger digests for higher security margins. HMAC-SHA-1 and HMAC-MD5 are legacy algorithms — avoid them for new systems but they may be required for compatibility with older APIs.

Can I use this to verify webhook signatures?

Yes. Switch to Webhook Verifier mode, paste the raw request body as the message, enter your webhook secret as the key, select the algorithm (usually SHA-256), then paste the signature from the webhook header (e.g., X-Hub-Signature-256). The tool will compare the computed HMAC against the received signature and show ✅ Valid or ❌ Invalid.

Is my secret key safe when using this tool?

All computation runs entirely in your browser using the crypto-js library — no data is ever sent to any server. Your secret key is masked by default to prevent shoulder-surfing. For maximum security, avoid using production secrets in any online tool and prefer local CLI utilities for sensitive operations.

What does the Multi-Algorithm Comparison mode show?

Multi-Algorithm mode runs the same message and key through all supported HMAC algorithms simultaneously and displays the results in a comparison table. This is useful for understanding how different algorithms produce different digest lengths and for comparing outputs when integrating with APIs that support multiple signing methods.