Computed locally with the Web Crypto API — your message and secret never leave your browser.
Generate HMAC-SHA256, SHA-384, SHA-512 & SHA-1 online, free. HMAC (Hash-based Message Authentication Code, defined by RFC 2104 and FIPS 198-1) combines a secret key with a hash function to prove both the integrity and the authenticity of a message — only someone who knows the key can produce or verify the code. This tool computes the HMAC of your message with SHA-256, SHA-384, SHA-512 or SHA-1 using the browser's Web Crypto API, output as hex or Base64, entirely on your device.
HMACs are computed with the browser's standards-based Web Crypto API (SubtleCrypto.sign), so the message and the secret key are never uploaded, logged, or stored — safe for production signing keys. 100% free, no registration, and complete privacy — everything runs locally in your browser, so your data never touches a server.
Compute HMAC with SHA-256 (the common default), SHA-384, SHA-512 or SHA-1 — pick the one your API or webhook expects.
Switch the digest encoding between lowercase hex and Base64 to match exactly what your verifier compares against.
The HMAC recomputes instantly via the Web Crypto API whenever the message, key, algorithm or encoding changes.
Both the message and the secret key are processed locally; nothing is transmitted, so it is safe for real signing keys.
An HMAC mixes a secret key into the hashing process (per RFC 2104), so unlike a plain SHA-256 digest — which anyone can recompute — only parties who hold the key can generate or verify the code. That is what lets webhooks and APIs prove a message is authentic and untampered.
HMAC-SHA256 is the de-facto standard and what most APIs (Stripe, GitHub, AWS) expect. Use SHA-384 or SHA-512 when a service explicitly requires a longer digest. HMAC-SHA1 is still secure as an HMAC for legacy compatibility, but prefer SHA-256 for new systems.
Yes — this HMAC generator is free with no signup and runs entirely in your browser, so your message and secret never reach a server. It supports SHA-256/384/512/SHA-1 with hex or Base64 output, covering the same cases as FreeFormatter's tool while keeping your key private.
It depends on what your verifier compares against. Many webhook signatures (GitHub, Stripe) use lowercase hex; others (some AWS and OAuth flows) use Base64. The HMAC bytes are identical — only the text encoding differs — so switch to whichever your system expects.
Yes. The HMAC is computed with the browser's Web Crypto API entirely on your device; the key and message are never uploaded, logged, or stored. Still, treat production keys carefully and only use tools whose privacy you can verify.
The most common causes are a different output encoding (hex vs Base64), trailing whitespace or a newline in the message, a key with extra characters, or the wrong hash algorithm. Match the exact bytes the server signs, including any line endings, and pick the same algorithm.
We use cookies for analytics and personalized ads to help keep these tools free. Until you accept, ads stay non-personalized and analytics cookies are off. See our Privacy Policy.