HMAC Generator

Generate HMAC signatures with SHA-256, SHA-384, or SHA-512 — for webhook verification, API authentication, and message integrity.

About HMAC Generator

HMAC (Hash-based Message Authentication Code) is a cryptographic authentication technique that uses a secret key combined with a hash function (MD5, SHA-1, SHA-256, etc.) to produce a fixed-size signature. It verifies both the data integrity (the message was not modified) and authenticity (it came from someone with the secret key).

HMAC-SHA256 is used extensively in webhook signature verification (Stripe, GitHub, Shopify), AWS request signing (Signature Version 4), JWT token signing (HS256 algorithm), API authentication headers, and cookie signing in web frameworks. The recipient recomputes the HMAC using the same key and message, then compares it to the provided signature using a constant-time comparison to prevent timing attacks.

FAQ

Why use HMAC instead of just a hash?
A plain hash of the message (SHA256(message)) can be recomputed by anyone. HMAC(key, message) requires the secret key — only parties who know the key can generate or verify the signature. This provides authentication in addition to integrity checking.
How do I verify a webhook signature?
1. Get the secret key from your webhook provider settings. 2. Compute HMAC-SHA256 of the raw request body using that key. 3. Compare your computed HMAC to the signature in the request header using a constant-time string comparison. If they match, the webhook is authentic.

Related Tools

MD5 GeneratorSecurity ToolsSHA256 GeneratorSecurity ToolsJWT GeneratorSecurity ToolsHash CheckerSecurity ToolsAES EncryptSecurity Tools