Zero Signup ToolsFree browser tools

Security Tools

HMAC Generator

Generate and verify HMAC signatures in your browser. SHA-1, SHA-256, SHA-384, SHA-512, hex and Base64 output, no upload.

Modern default. Used by JWT (HS256), AWS Signature v4, GitHub, Stripe, Shopify, and Slack webhook signatures.

4 chars
28 chars
Or load a sample

HMAC is computed in your browser using the Web Crypto API. The key, message, and signatures you paste are never uploaded.

HMAC-SHA-256 signature

Enter a key and message to compute the signature

No signature yet

How to use

  1. Pick an algorithm (HMAC-SHA-256 by default), then choose Generate or Verify signature.
  2. Paste your secret key and message. Switch the per-input encoding between UTF-8 text, Hex, or Base64 to match how your key was delivered.
  3. Read the hex, Base64, and Base64 URL-safe signatures in the result panel and click Copy on any row.
  4. In Verify mode, paste an expected signature to run a constant-time comparison and see a match, length mismatch, or invalid encoding verdict.

About this tool

HMAC Generator computes Hash-based Message Authentication Codes using the Web Crypto API in your browser. Pick an algorithm (HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512), paste a secret key and a message, and the tool returns the signature in lowercase hex, UPPERCASE hex, standard Base64, and URL-safe Base64 at the same time. Each input accepts UTF-8 text, hex, or Base64, which matters for real-world signing flows where keys are often delivered as random bytes encoded in hex (Stripe, AWS) or Base64 (Slack, Shopify), and where the message body may already be a binary payload. A built-in Verify mode lets you paste an expected signature (hex or Base64, with the sha256= prefix automatically tolerated) and runs a constant-time comparison that returns match, mismatch, or length mismatch. Constant-time matters: a naive comparison leaks information about how many leading bytes match, which is exactly the side-channel webhook attackers look for. Useful for signing and verifying webhooks (GitHub, Stripe, Shopify, Slack, Twilio, Mailgun), generating AWS Signature v4 string-to-sign components, signing API requests, computing HOTP/TOTP intermediate values, validating JWT HS256/HS384/HS512 signatures by hand, and any place a developer needs an HMAC. Loaded samples include the canonical RFC 4231 test vectors so you can confirm the implementation matches the standard. Computation runs entirely in your browser, so the secret keys and message bodies you paste never leave your device.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Security

SHA-256 Hash Generator

Hash text or files with SHA-1, SHA-256, SHA-384, and SHA-512.

Open tool

Developer

Base64 Encoder Decoder

Encode and decode Base64 with full Unicode.

Open tool

Developer

JWT Decoder

Decode header, payload, and claims of a JWT with expiry checks.

Open tool

Security

Password Generator

Strong random passwords with length and character controls.

Open tool

All toolsSecurity Tools