— About this tool
HMAC (Hash-based Message Authentication Code) combines a message with a secret key and a hash function to produce a signature that proves both the integrity and the authenticity of the message. Anyone who shares the secret can recompute the HMAC and confirm the message was not tampered with — it is the mechanism behind webhook signatures (Stripe, GitHub, Slack), signed cookies and many API authentication schemes.
Enter your message and secret, pick the hash algorithm and output encoding, and the signature updates as you type. It is computed with the Web Crypto API in your browser, so neither the message nor the secret is ever sent to a server. Use SHA-256 unless a specific integration requires otherwise.
The message and secret never leave your browser — the HMAC is computed locally with the Web Crypto API.
Frequently asked questions
What is the difference between an HMAC and a plain hash?
A plain hash (like SHA-256) anyone can compute from the message alone, so it only proves integrity. An HMAC also mixes in a secret key, so a valid signature also proves the sender knew the secret — that is what makes it useful for authentication.
Which algorithm should I use?
SHA-256 is the standard choice and what most APIs expect. SHA-384 and SHA-512 offer larger outputs; SHA-1 is supported for legacy integrations but is no longer recommended for new systems.
Is hex or Base64 output better?
They encode the same bytes — pick whichever your integration expects. Webhook providers usually specify one; for example GitHub uses hex, while some others use Base64.