Skip to content
epitometool

HMAC generator

Security tools

Generate HMAC signatures (SHA-1, SHA-256, SHA-512) for API and webhook testing.

Updated

HMAC input

Hex signature

Quick start

How to generate HMAC

Set message, secret and algorithm to create signature.

  1. Step 1
    Enter message

    Paste payload and secret key.

  2. Step 2
    Select algorithm

    Choose SHA-1, SHA-256 or SHA-512.

  3. Step 3
    Generate signature

    Copy resulting hex digest.

In-depth guide

HMAC signatures: verifying webhooks, signed URLs and API requests

An HMAC (Hash-based Message Authentication Code) proves two things at once: that a message has not been altered, and that it came from someone who holds a shared secret. It is the mechanism behind GitHub and Stripe webhook signatures, signed download URLs and many API authentication schemes. This tool computes HMAC-SHA1, HMAC-SHA256 and HMAC-SHA512 in your browser with WebCrypto.

How HMAC works

HMAC folds the shared secret into a cryptographic hash of the message in a specific two-pass construction. The result is a fixed-length hex digest that changes completely if even one byte of the message or the key changes. Crucially, you cannot forge a valid digest without knowing the secret, which is what makes it an authentication code rather than a plain checksum.

How to use this tool

  1. Paste the message (for a webhook, this is the raw request body).
  2. Enter the shared secret exactly as your provider stores it.
  3. Select the hash algorithm and copy the resulting digest.

To verify an incoming webhook, compute the HMAC of the received body with your secret and compare it to the signature header — they must match exactly.

When to use it vs alternatives

Reach for HMAC when both parties can share a secret in advance — webhook verification, signed URLs, internal service-to-service calls. When the verifier should not hold the signing key (for example, public token verification), use asymmetric signatures such as RSA or ECDSA / JWT RS256 instead.

Pitfalls and security

Sign the exact raw bytes you receive. Re-serialising JSON before hashing is the most common reason a webhook signature fails to match.
  • Compare digests in constant time on the server to avoid timing attacks; a plain string equality check can leak information.
  • Rotate secrets periodically and treat them like passwords — never commit them to source control.
  • Privacy: the message, secret and digest are computed locally in your browser and never uploaded.

Frequently asked questions

Which HMAC algorithms are supported?

HMAC-SHA1, HMAC-SHA256 and HMAC-SHA512, computed in the browser with the WebCrypto API.

What is the difference between HMAC and a plain hash?

A plain hash anyone can recompute. HMAC mixes in a shared secret, so only someone with that secret can produce a valid digest — it authenticates the sender as well as detecting tampering.

Is the output deterministic?

Yes. The same message, secret and algorithm always produce the same digest, which is how a receiver can verify a signature.

My webhook signature does not match — why?

Almost always because the body was re-serialised before hashing. Sign and verify the exact raw bytes you received; reformatting JSON changes the digest.

When should I use asymmetric signatures instead?

Use RSA or ECDSA (or JWT RS256) when the party verifying the signature should not be able to create one — for example, public token verification across many services.

Does my message or secret leave the browser?

No. The message, secret and digest are processed locally via WebCrypto and never uploaded.

Keep exploring

More tools you'll like

Hand-picked utilities that pair well with the one you're on — all free, client-side, and zero-signup.

More security tools

See all →

Popular across EpitomeTool

Browse all →
Browse all 212+ free tools