BYTETOOLS

How to Generate an HMAC: Step-by-Step Guide

To generate an HMAC, enter your message and a shared secret key, pick a hash algorithm such as SHA-256, and the tool computes a keyed hash that proves the message is authentic and unaltered. The HMAC Generator does this with the browser's built-in Web Crypto API, outputs the result as hexadecimal or Base64, and never sends your key anywhere.

An HMAC (hash-based message authentication code) is what secures webhook signatures, signed API requests and token verification. Only a party holding the same secret key can produce or check the code, so it proves both integrity and origin. Here is how to create one step by step.

Step-by-step: create an HMAC

  1. Enter the message you want to authenticate β€” a webhook body, an API request string or any text.
  2. Enter the secret key that both the sender and receiver share.
  3. Pick the hash algorithm: SHA-256 is the common default, SHA-512 gives a longer output, and SHA-1 exists for legacy compatibility.
  4. Choose the output format β€” lowercase hexadecimal or Base64 β€” to match what your target system expects.
  5. Copy the resulting HMAC and place it in your signature header or verify it against an incoming one.

The tool recomputes live as you edit any field, so you can experiment with different keys and algorithms instantly.

A worked example

Suppose you are signing the message order=42&amount=100 with the secret key s3cr3t using HMAC-SHA256. Type the message and key into the tool, select SHA-256, and a 64-character hex string appears. That string is your signature. On the receiving side, the same message and key produce the exact same string β€” if even one character of the message changes, the HMAC changes completely, which is how tampering is detected.

Choosing your algorithm and format

ChoiceUse whenNotes
HMAC-SHA256Most new systemsStandard default; widely supported
HMAC-SHA512Extra output length wantedLonger code, higher margin
HMAC-SHA1Legacy compatibility onlyAvoid for new designs
Hex outputReadable, two chars per byteCommon in headers
Base64 outputMore compact encodingMatch the target's expectation

Why generating it in your browser matters

HMAC only stays secure while the secret key stays secret. Many online generators send your message and key to a server, which is a real risk when testing production signing keys. The HMAC Generator computes everything locally with crypto.subtle, so your message and key never leave the page, are never logged, and it works offline as a PWA. That makes it safe to test real keys while you build or debug an integration.

Try the HMAC Generator β€” free and 100% in your browser.

FAQ

What do I put in the key field?

Enter the shared secret that both sides of the exchange already agree on β€” for a webhook, that is the signing secret your provider gave you. The same key must be used to generate and to verify the HMAC.

Do I choose hex or Base64?

Both encode the same underlying bytes. Pick whichever format the system you integrate with expects in its signature header β€” many use hex, some use Base64. If unsure, check the provider's documentation.

Does the message need to be exact?

Yes. HMAC is sensitive to every byte, including whitespace and ordering. Sign the exact bytes the receiver will hash, or the codes will not match even when the content looks the same.

Can it handle non-English text?

Yes. The message is encoded as UTF-8 before hashing, so accented characters, symbols and other Unicode text are supported and produce a consistent HMAC.

Related free tools

Built by ByteVancer

ByteTools is a free product of ByteVancer, a software and web development studio building web apps, SaaS and custom software. If you are building an API, webhook pipeline or secure integration, explore how ByteVancer can help you ship it.