Generate HMAC signatures (SHA-1/256/384/512) from a message and secret key. Uses WebCrypto.
Generate Hash-based Message Authentication Codes (HMAC) from any message and secret key. Pick SHA-1, SHA-256, SHA-384, or SHA-512, and export the signature as Hex or Base64. Useful for signing webhook payloads, API requests, and any scenario where you need to verify a message came from a party holding a shared secret. Runs entirely in your browser using the Web Crypto API — your secret and payload never leave the page.
Paste the message you want to sign into the Message field.
Enter the shared secret key.
Pick the hash algorithm (SHA-256 is a common default).
Choose Hex or Base64 encoding for the output.
Copy the signature and send it alongside your payload.
HMAC is used to verify both the integrity and authenticity of a message. Sender and receiver share a secret key; the sender signs the message with HMAC, and the receiver recomputes the signature to confirm the message is untampered and originated from someone who knows the secret.
SHA-256 is the modern default and matches what most APIs (AWS, Stripe, GitHub webhooks) use. Use SHA-384 or SHA-512 when a provider specifies them. Avoid SHA-1 for new systems — it's only here for compatibility with legacy services.
Yes. The message, secret key, and signature never leave your browser. All computation happens client-side with the Web Crypto API.
They're two encodings of the same underlying bytes. Hex doubles the length (one byte becomes two hex chars); Base64 is more compact (~33% overhead). Pick whichever your API expects.