HMAC Generator

Compute HMAC digests from text + secret key

Choose a hashing function and output encoding, then copy the HMAC instantly — all in your browser

Last updated: January 24, 2026

CreatorFrank Zhao

Plain text to compute the hash

Secret key

Hashing function

Output encoding

HMAC of your text

HMAC is a simple idea with big impact: it lets two parties share a secret key and verify that a message has not been tampered with. This guide explains how to use the HMAC Generator, what the output means, and common pitfalls to avoid.

→Introduction / Overview →How to Use / Quick Start →Real-World Examples / Use Cases →Common Scenarios / When to Use →Tips & Best Practices →Calculation Method / Formula Explanation →Related Concepts / Background Info →Frequently Asked Questions (FAQs)→Limitations / Disclaimers →External References / Sources

Introduction / Overview

The HMAC Generator computes a hash-based message authentication code from a plaintext message and a secret key. Unlike plain hashing, HMAC proves that the sender knew the secret key — which is exactly what you need for signature verification in APIs, webhooks, and internal systems.

What problems does it solve?

Verifies that a received payload hasn’t been modified in transit.
Proves the request came from someone who knows the shared secret.
Helps you debug signature mismatches by comparing expected vs actual.

HMAC is for authenticating messages, not for storing passwords. For password storage, use dedicated password hashing (like bcrypt) with a per-user salt.

If you’re also working with plain digests, you may like our Hash Text tool. If you need password hashing specifically, use Bcrypt.

How to Use / Quick Start

Paste the message

Put the exact plaintext payload you want to authenticate (for example, a webhook JSON body).

Enter the secret key

This is your shared secret. Keep it private and prefer a long, random key.

Choose hashing function + output encoding

For modern APIs, HMAC-SHA-256 is a safe default. Choose Hex if you’re matching most docs; choose Base64/Base64URL if your system expects that.

Copy and compare

Copy the HMAC output and compare it with the signature you received (for example, an HTTP header).

Quick example A: HMAC-SHA-256 in Hex

Suppose you choose SHA-256 and Hex. The output is always $32\ \mathrm{bytes}$ . In hex, that becomes $2\ \mathrm{hex\ chars\ per\ byte}$ , so you should see exactly:

32\ \mathrm{bytes}\times 2=64\ \mathrm{hex\ characters}

If your result is not 64 hex characters, you are probably using a different algorithm, encoding, or text normalization.

Quick example B: HMAC-SHA-1 in Base64

SHA-1 output is $20\ \mathrm{bytes}$ . Base64 length is:

\mathrm{len}_{b64}=4\left\lceil\frac{n}{3}\right\rceil

n=20

\Rightarrow

\mathrm{len}_{b64}=4\left\lceil\frac{20}{3}\right\rceil

=

4\times 7

=

28

So a Base64 HMAC-SHA-1 string is typically 28 characters (including padding).

Real-World Examples / Use Cases

Webhook signature debugging

Background: your server receives a webhook with a signature header. You want to reproduce the signature to find out why verification fails.

Inputs (example)

Message: raw request body (for example $512\ \mathrm{bytes}$ of JSON)

Secret key: shared secret (for example $32\ \mathrm{bytes}$ )

Settings: $\mathrm{HMAC\text{-}SHA256}$ + Hex

\mathrm{len}_{hex}

=

2\times 32

=

64

Result: you should get a 64-character hex string. If your provider prefixes the header with $\texttt{sha256=}$ , the header value length becomes: $7+64=71$ .

Signing internal audit logs

Background: you generate log lines that should be tamper-evident.

Inputs (example)

Message: one log line (for example $180\ \mathrm{bytes}$ )

Settings: $\mathrm{HMAC\text{-}SHA512}$ + Base64URL

n=64\ \mathrm{bytes}

\Rightarrow

\mathrm{len}_{b64}=4\left\lceil\frac{64}{3}\right\rceil

=

88

Result: Base64 is 88 characters (including padding). If you use Base64URL without padding, it is typically $88-2=86$ characters.

Request authentication in APIs

Background: you sign method + path + body so servers can reject modified requests.

Inputs (example)

Canonical string length: $120\ \mathrm{bytes}$ (method + path + timestamp + body)

Settings: $\mathrm{HMAC\text{-}SHA256}$ + Base64

n=32\ \mathrm{bytes}

\Rightarrow

\mathrm{len}_{b64}=4\left\lceil\frac{32}{3}\right\rceil

=

44

Result: Base64 output is 44 characters (often with one padding character). If your API expects Base64URL without padding, it is commonly 43 characters.

Quick sanity-check for tokens

Background: you need a compact signature string to attach to a payload.

Base64URL is often the best transport format.

If you switch to Binary output for SHA-256, you will see exactly $256$ bits.

If you need a random token, use Token Generator instead.

Tip for mismatches

If your server expects a prefix (like $\texttt{sha256=}$ ) or expects Base64 instead of Hex, your values may look different even when the underlying bytes match.

Common Scenarios / When to Use

Verifying webhook payloads

Use HMAC to confirm a webhook body is authentic and unmodified.

Signing API requests

Sign canonical strings to detect tampering or replay (with timestamps/nonces).

Tamper-evident logs

Attach a signature to each record so changes are detectable.

Debugging canonicalization

Compare signatures while you adjust whitespace, newline endings, or JSON formatting.

Matching output formats

Switch between Hex/Base64/Base64URL/Binary to match what your platform expects.

When not to use HMAC

Don’t use HMAC as a password hash. Use bcrypt (or a modern password hashing scheme) instead.

Tips & Best Practices

Choose a good key

Use a long, random key (think “password-manager generated”), not a short phrase.
Never share secret keys in support tickets or screenshots.

Prefer SHA-256 or SHA-512

In new systems, $\mathrm{HMAC\text{-}SHA256}$ is a widely supported default. Avoid MD5 for security-sensitive designs.

Use constant-time comparison in code

When verifying signatures, compare values using a constant-time function to reduce timing side-channels. This tool is for computing the expected signature; your production verification should still be careful.

Watch out for encoding differences

Hex vs Base64 is the most common mismatch.
Base64URL is Base64 with $+\to-$ and $/\to_$ , often without padding.
Newlines matter: $\texttt{\\n}$ vs $\texttt{\\r\\n}$ changes the result.

Pro tip: start with a known-good test vector

If you’re implementing verification in code, try an official test vector first, then switch to your real payload. This helps you isolate bugs in encoding vs cryptography.

Calculation Method / Formula Explanation

HMAC wraps a hash function in a secure construction. You don’t need to compute it by hand, but understanding the structure helps when debugging.

Core definition

\mathrm{HMAC}(K, m)

=

H\bigl((K\oplus \mathrm{opad})\ \|\ H((K\oplus \mathrm{ipad})\ \|\ m)\bigr)

Here $K$ is the secret key, $m$ is the message, $H$ is the selected hash function, and $\oplus$ is XOR.

Output size and encodings

The HMAC output length equals the underlying hash digest length. For example, for SHA-256:

\mathrm{digest}_{\mathrm{SHA256}}

=

256\ \mathrm{bits}

=

32\ \mathrm{bytes}

=

64\ \mathrm{hex\ chars}

Base64 length is $4\lceil n/3\rceil$ for $n$ bytes.

Variable glossary

$m$ : message (your plaintext).
$K$ : secret key.
$H$ : selected hash function (e.g., SHA-256).
$\mathrm{ipad},\ \mathrm{opad}$ : fixed padding constants defined by the HMAC specification.

Related Concepts / Background Info

HMAC vs plain hash

A plain hash (like SHA-256) is great for checksums, but anyone can compute it. HMAC adds a secret key, so only trusted parties can produce the correct value.

Transport format: Hex vs Base64

Hex uses only $[0\text{-}9a\text{-}f]$ and is easy to read. Base64 is shorter. Base64URL is URL-safe.

What HMAC does not protect against

Replay attacks (add a timestamp/nonce in the message).
Confidentiality (use encryption like AES if you need secrecy).

Frequently Asked Questions (FAQs)

Why does my HMAC not match the one from the server?

The top causes are: different encoding (Hex vs Base64), different newlines, different JSON formatting, or a missing prefix. Ensure both sides sign the exact same byte sequence.

Is HMAC the same as encryption?

No. HMAC provides integrity and authenticity, not secrecy. If you need confidentiality, encrypt the message (for example, with AES) and then authenticate it.

Which algorithm should I pick?

For new designs, $\mathrm{HMAC\text{-}SHA256}$ is a good default. If you need shorter outputs, consider SHA-1 only for legacy compatibility.

What is Base64URL and why does it look different?

Base64URL replaces characters to be URL-safe and often drops padding. It represents the same bytes, just with a different alphabet.

Can I include my secret key in a shared link?

You shouldn’t. This page intentionally shares configuration but never includes the secret key.

Why is the output length fixed?

Because the digest size is fixed. For SHA-256, it’s $256\ \mathrm{bits}$ . In Hex that’s $64$ characters.

Limitations / Disclaimers

Security disclaimer

This calculator runs locally in your browser, but you should still avoid pasting production secrets on shared machines. Use it primarily for development and debugging.

Not a substitute for professional review

Cryptographic design choices depend on threat models and operational constraints. For production systems, consult established standards and security guidance.

External References / Sources

Related Calculators

Chronometer

Use a simple chronometer (stopwatch) to track elapsed time down to milliseconds. Runs locally in your browser.

Try Now

Email normalizer

Normalize email addresses to a standard format for easier comparison. Useful for deduplication and data cleaning. Runs locally in your browser.

Try Now

ETA calculator

Estimate the time needed to consume a total amount at a constant rate, and get an expected end time. Runs locally in your browser.

Try Now

JWT parser

Parse and decode your JSON Web Token (JWT) and display its content. All computation runs locally in your browser.

Try Now

MIME types

Know which file extensions are associated to a MIME type, and which MIME type is associated to a file extension. Includes a full MIME types table.

Try Now

Lorem ipsum generator

Generate random Lorem Ipsum placeholder text with customizable paragraphs, sentences, and word counts. Runs locally in your browser.

Try Now