Formatters
JSON & Data JSON Formatter JSON Path JSON Schema Generator JSON Schema Validator YAML Formatter
Web HTML Formatter CSS Formatter JS Formatter HTML Minifier CSS Minifier
Database & Markup SQL Formatter XML Formatter
View All Formatters →
Encoders
Encoding Base64 Encoder/Decoder URL Encoder/Decoder HTML Entity Encoder Hex Encoder/Decoder ASCII Encoder/Decoder
Decoding JWT Decoder Unicode Converter ROT13 / Caesar Cipher Morse Code Encoder/Decoder
View All Encoders →
Generators
Identifiers UUID Generator ID Generator Password Generator
Data & Content Hash Generator Bcrypt Hash Generator HMAC Generator Checksum Calculator Lorem Ipsum Generator Random Number Generator JSON Schema Generator JSON Schema to TypeScript
Visual Color Generator QR Code Generator
Code Generation JSON to TypeScript JSON to Java JSON to C# JSON to Go JSON to Python
View All Generators →
Converters
Time & Numbers Timestamp Converter Date Calculator Number Base Converter
Format Converters HTML to JSX Converter CSS to Tailwind Converter Markdown Editor & Previewer JSON to XML XML to JSON JSON to CSV CSV to JSON JSON to YAML YAML to JSON XML to CSV CSV to XML
Format & Units Color Converter Temperature Converter Unit Converter Currency Converter
View All Converters →
Validators
Code & Syntax JSON Validator JSON Schema Validator XML Validator YAML Validator
Web & Patterns HTML Validator CSS Validator Regex Tester Email Validator
View All Validators →
Strings
Text Manipulation Text Case Converter Text Replacer Slug Generator
Compare & Analyze Text Diff Checker Diff Tool JSON Compare Text Compare String Length Calculator Word Counter Text Reverser Line Sorter Duplicate Line Remover
View All String Tools →
Network
IP & DNS IP Address Lookup IP Address Tools DNS Checker
Domains & URLs WHOIS Lookup URL Parser
View All Network Tools →
DevOps
Container & Pipeline Docker Helpers Kubernetes Config CI/CD Templates
View All DevOps Tools →
Blog All Tools

Free Online HMAC Generator

Generate HMAC-SHA256 and HMAC-SHA512 hash-based message authentication codes from text and a secret key. All processing runs locally in your browser.

Key Features

lock

Cryptographically Secure

Uses the native Web Crypto API with cryptographically secure HMAC signing — no external libraries required.

key

Two Algorithms

Choose between HMAC-SHA256 and HMAC-SHA512 to match your API or application requirements.

swap_horiz

Hex & Base64

Output HMAC in either hex or Base64 encoding — both commonly used in API authentication headers.

lock

100% Private

Your secret key and message never leave your browser. All computation runs entirely client-side.

Frequently Asked Questions

Basics
What is HMAC and how does it differ from a regular hash?expand_more
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key. Unlike a plain hash (like SHA-256 of a message), only someone who knows the secret key can generate or verify the HMAC. This makes HMAC suitable for API request signing, message integrity verification, and authentication.
How do I use this HMAC generator?expand_more
  1. Enter your secret key in the Secret Key field.
  2. Type or paste the message you want to sign.
  3. Select the algorithm (SHA-256 or SHA-512) and output format (Hex or Base64).
  4. Click Generate HMAC to compute the result.
  5. Use the Copy button to copy the HMAC value to your clipboard.
Exampleexpand_more

Secret Key:

my-secret-key

Message:

Hello, World!

HMAC-SHA256 (Hex):

5ccec1ce96ea3b58b1d6c6ffd2ac1b8c0ea74fab8d5fb27f133cbe34a4d8b821
Details
What is the difference between HMAC-SHA256 and HMAC-SHA512?expand_more
HMAC-SHA256 produces a 256-bit (32-byte) output while HMAC-SHA512 produces a 512-bit (64-byte) output. SHA-512 is more computationally expensive but offers a larger security margin. Most modern APIs use HMAC-SHA256 as a good balance of security and performance.
Should I use hex or Base64 format for my HMAC?expand_more
Both are widely used. Hex encoding produces a longer string (64 characters for HMAC-SHA256 vs 44 for Base64) but is easier to read and debug. Base64 is more compact and commonly used in HTTP headers like the Authorization header. Choose the format that matches your API specification.
Why use HMAC instead of simply hashing a message with the secret key appended?expand_more
Naive concatenation (hash(secret + message)) is vulnerable to length extension attacks for MD5, SHA-1, and SHA-2 families. HMAC uses a specific construction (two rounds of hashing with the key XORed with ipad/opad) that prevents these attacks. Always prefer HMAC over custom hash-and-key schemes.
Can I use this tool for production API authentication?expand_more
Yes, the HMAC generated here follows the same algorithm as your backend. Use it during development to verify that your server-side HMAC implementation produces the correct result. For production, always compute HMACs server-side where the secret key stays protected.
What if I need a key longer than the block size?expand_more
The Web Crypto API handles this automatically according to RFC 2104: if the key is longer than the block size (64 bytes for SHA-256, 128 bytes for SHA-512), it is first hashed down to the appropriate length. You do not need to pre-process the key — just paste it as-is.

Related Tools

encrypted

Hash Generator

Generate MD5, SHA1, SHA256, SHA512 hashes
password

Bcrypt Generator

Hash passwords with bcrypt
verified

Checksum Calculator

Calculate file checksums
password

Password Generator

Generate secure random passwords
text_fields

ROT13 / Caesar Cipher

Encrypt text with ROT13 or Caesar shift