How to Generate an HMAC: Step-by-Step Guide
To generate an HMAC, enter your message and a shared secret key, pick a hash algorithm such as SHA-256, and the tool computes a keyed hash that proves the message is authentic and unaltered. The HMAC Generator does this with the browser's built-in Web Crypto API, outputs the result as hexadecimal or Base64, and never sends your key anywhere.
An HMAC (hash-based message authentication code) is what secures webhook signatures, signed API requests and token verification. Only a party holding the same secret key can produce or check the code, so it proves both integrity and origin. Here is how to create one step by step.
Step-by-step: create an HMAC
- Enter the message you want to authenticate β a webhook body, an API request string or any text.
- Enter the secret key that both the sender and receiver share.
- Pick the hash algorithm: SHA-256 is the common default, SHA-512 gives a longer output, and SHA-1 exists for legacy compatibility.
- Choose the output format β lowercase hexadecimal or Base64 β to match what your target system expects.
- Copy the resulting HMAC and place it in your signature header or verify it against an incoming one.
The tool recomputes live as you edit any field, so you can experiment with different keys and algorithms instantly.
A worked example
Suppose you are signing the message order=42&amount=100 with the secret key s3cr3t using HMAC-SHA256. Type the message and key into the tool, select SHA-256, and a 64-character hex string appears. That string is your signature. On the receiving side, the same message and key produce the exact same string β if even one character of the message changes, the HMAC changes completely, which is how tampering is detected.
Choosing your algorithm and format
| Choice | Use when | Notes |
|---|---|---|
| HMAC-SHA256 | Most new systems | Standard default; widely supported |
| HMAC-SHA512 | Extra output length wanted | Longer code, higher margin |
| HMAC-SHA1 | Legacy compatibility only | Avoid for new designs |
| Hex output | Readable, two chars per byte | Common in headers |
| Base64 output | More compact encoding | Match the target's expectation |
Why generating it in your browser matters
HMAC only stays secure while the secret key stays secret. Many online generators send your message and key to a server, which is a real risk when testing production signing keys. The HMAC Generator computes everything locally with crypto.subtle, so your message and key never leave the page, are never logged, and it works offline as a PWA. That makes it safe to test real keys while you build or debug an integration.
Try the HMAC Generator β free and 100% in your browser.
FAQ
What do I put in the key field?
Enter the shared secret that both sides of the exchange already agree on β for a webhook, that is the signing secret your provider gave you. The same key must be used to generate and to verify the HMAC.
Do I choose hex or Base64?
Both encode the same underlying bytes. Pick whichever format the system you integrate with expects in its signature header β many use hex, some use Base64. If unsure, check the provider's documentation.
Does the message need to be exact?
Yes. HMAC is sensitive to every byte, including whitespace and ordering. Sign the exact bytes the receiver will hash, or the codes will not match even when the content looks the same.
Can it handle non-English text?
Yes. The message is encoded as UTF-8 before hashing, so accented characters, symbols and other Unicode text are supported and produce a consistent HMAC.
Related free tools
- SHA-256 Hash Generator β a plain hash without a key.
- SHA-512 Hash Generator β longer-output hashing.
- MD5 Hash Generator β quick checksums for non-security use.
- AES Text Encrypter β encrypt content, not just authenticate it.
Built by ByteVancer
ByteTools is a free product of ByteVancer, a software and web development studio building web apps, SaaS and custom software. If you are building an API, webhook pipeline or secure integration, explore how ByteVancer can help you ship it.
Recommended reading
HMAC Use Cases: Real Examples of Keyed Hashing
Explore real HMAC use cases β webhook signatures, API request signing, token verification, and download integrity, with worked examples.
HMAC Best Practices: Tips and Mistakes to Avoid
Expert HMAC tips β key length, algorithm choice, constant-time comparison, encoding pitfalls and the mistakes that break signature checks.
XOR Cipher Use Cases: CTFs, Learning, and Puzzles
Real use cases for the XOR cipher, from CTF challenges and teaching bitwise logic to lightweight obfuscation, with concrete worked examples.
XOR Cipher Tips: Keys, Security, and Common Mistakes
Pro tips and common mistakes for the repeating-key XOR cipher: key length, reuse pitfalls, format choices, and when to switch to real encryption.