HMAC Generator
Generate an HMAC of any message with a secret key using HMAC-SHA1, SHA-256 or SHA-512 via the Web Crypto API. Output in hex or Base64, computed entirely offline.
- HMAC-SHA1, HMAC-SHA256 and HMAC-SHA512
- Built on the standard Web Crypto API
- Hexadecimal or Base64 output formats
- Live recomputation as you edit the inputs
- Handles Unicode text via UTF-8 encoding
- 100% private β message and key stay in your browser
How to use the HMAC Generator
- 1
Enter the message you want to authenticate.
- 2
Enter the secret key that both sides share.
- 3
Pick the hash algorithm: SHA-1, SHA-256 or SHA-512.
- 4
Choose hexadecimal or Base64 output.
- 5
Copy the resulting HMAC to sign or verify your message.
About the HMAC Generator
The ByteTools HMAC Generator computes a keyed hash message authentication code for any text using a secret key. HMAC proves both the integrity and the authenticity of a message: only someone who knows the key can produce or verify the same code, which is why HMAC underpins webhook signatures, API request signing and token verification.
Choose the underlying hash β SHA-1, SHA-256 or SHA-512 β enter your message and secret key, and read the result as lowercase hexadecimal or Base64. The computation uses the browser's built-in Web Crypto API (crypto.subtle.importKey and sign), which is fast and standards-based.
Everything runs locally in your browser with JavaScript. Your message and key are never uploaded, logged or stored, and the tool works offline, so you can safely test real signing keys.
Frequently asked questions
What is an HMAC used for?
An HMAC verifies that a message has not been altered and that it came from someone holding the shared secret key. It is widely used to sign webhooks, authenticate API requests and protect tokens, because an attacker without the key cannot forge a valid code.
How is HMAC different from a plain hash?
A plain hash like SHA-256 verifies integrity but anyone can compute it, so it proves nothing about the sender. HMAC mixes in a secret key, so only parties who know the key can generate or check the code, adding authenticity on top of integrity.
Which hash algorithm should I choose?
HMAC-SHA256 is the common default and a solid choice for most systems. HMAC-SHA512 offers a longer output for extra margin, while HMAC-SHA1 is mainly for compatibility with older systems and is best avoided for new designs.
What is the difference between hex and Base64 output?
Both encode the same bytes. Hexadecimal uses two characters per byte and is easy to read, while Base64 is more compact. Pick whichever format the system you are integrating with expects for its signature header or field.
Is my secret key sent to a server?
No. The HMAC is computed in your browser with the Web Crypto API. Your message and key never leave the page, are not logged, and the tool works offline, so testing real keys here is safe.
Related tools
- SHA-256 Hash GeneratorGenerate SHA-256 hashes of text or files with the browser's Web Crypto API. 64-character hβ¦
- SHA-512 Hash GeneratorCompute SHA-512 hashes of text or files right in your browser. 128-character hex digest wiβ¦
- SHA-1 Hash GeneratorCompute SHA-1 hashes of text or files in your browser using Web Crypto. 40-character hex dβ¦
- MD5 Hash GeneratorGenerate MD5 hashes of text or files instantly in your browser. 32-character hex checksum β¦
- AES Text EncrypterEncrypt text with a password using AES-256-GCM and PBKDF2 in your browser. Get a single Baβ¦