Overview
Generate an HMAC for any message
HMAC stands for Hash-based Message Authentication Code. It combines a message with a secret key and a hash function to produce a fixed-size digest. Unlike a plain hash, an HMAC proves two things at once: that the message was not altered and that it came from someone who knows the key.
ToolHub HMAC Generator computes the digest for your message using SHA-1, SHA-256, SHA-384, or SHA-512 and shows it as a lowercase hex string. The result updates live as you type, and everything runs in your browser.
Step-by-step
How to generate an HMAC
- 1
Enter your message
Type or paste the text you want to authenticate into the message box. The digest recomputes as you type. - 2
Add a secret key
Enter the shared secret. The same key is needed on the other side to verify the digest later. - 3
Pick a hash and copy
Choose SHA-256 for most needs, then click copy to grab the lowercase hex output.
Background
How HMAC differs from a plain hash
A plain hash like SHA-256 turns any input into a fixed-size fingerprint, but anyone can recompute it because there is no secret involved. HMAC folds a secret key into the process, so only parties holding the key can produce or verify a valid digest. That is what makes it an authentication code rather than just a checksum.
Which algorithm should I pick?
SHA-256 is the safe default for most applications. SHA-384 and SHA-512 produce longer digests when a policy requires them. SHA-1 is offered for compatibility with older systems but should not be used for new designs.
Why hex output?
The raw HMAC is a sequence of bytes. Showing it as lowercase hex gives a stable, copy-friendly form that matches what most libraries and APIs print. Each byte becomes two hex characters.
Use cases
When to use HMAC
Signing webhook payloads
Many providers send an HMAC header so you can confirm a webhook really came from them.
Verifying API requests
Sign requests with a shared secret so the server can reject tampered or forged calls.
Protecting cookies and tokens
Attach an HMAC so the server can detect if a client modified a signed value.
Comparing implementations
Check that your code and a third-party service produce the same digest for the same input.
Message integrity checks
Detect accidental corruption in transit when both ends share a key.
Debugging signature mismatches
Reproduce an expected HMAC locally to find why a verification step is failing.
Tips and best practices
- Use a long, random secret key. The strength of HMAC depends on keeping the key secret.
- Prefer SHA-256 or stronger. Avoid SHA-1 for anything new.
- Match encodings carefully. Both sides must agree on UTF-8 for the message and key.
- Compare digests with a constant-time check in production to resist timing attacks.
- Never reuse the same key across unrelated systems. A leak in one then affects all of them.
Common questions
Is HMAC the same as encryption?
No. HMAC does not hide the message. It produces a tag that proves integrity and authenticity. To keep a message secret you need encryption, which is a separate step.
Does the same input always give the same HMAC?
Yes. For a fixed message, key, and algorithm the output is deterministic. Change any one of them and the digest changes completely.
What if I leave the key empty?
An empty key still produces a valid HMAC, but it offers no security because anyone can reproduce it. Always use a real secret in practice.
Why does my digest differ from another tool?
The most common cause is a different encoding of the message or key, or trailing whitespace such as a newline. Make sure both inputs match exactly, including the algorithm. Use SHA-256 on both sides to compare.
100% private