HMAC Generator Online – HMAC-SHA256, SHA512, MD5, API Signature Calculator
Compute HMAC signatures and cryptographic hashes for text input. HMAC-MD5, HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, HMAC-SHA3, HMAC-RIPEMD, HMAC-Whirlpool, and more. Hash text with MD5, SHA-1, SHA-2, SHA-3, Keccak, RIPEMD, SM3, Tiger. Hex/Base64 output, UTF-8/Hex input encoding. Runs locally.
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a mechanism that combines a cryptographic hash function with a secret key to produce an authenticated digest. Unlike a plain hash — which only proves data integrity — an HMAC also proves authenticity: only a party that knows the secret key can reproduce the same value. This property makes HMAC the standard primitive for API request signing, webhook verification, JWT token signing (HS256/HS512), and secure message authentication.
This tool provides two modes. The Hash tab computes plain cryptographic hashes and checksums for any text input across 53 algorithms in 10 categories. The HMAC tab generates authenticated hashes using a secret key across 28 cryptographic algorithms. All computation runs locally in your browser via WebAssembly — no data is ever uploaded to a server.
How This HMAC Generator & Hash Calculator Works
Enter your text in the input area, select the algorithms you need, and results appear immediately. Switch between Hash and HMAC modes using the tabs at the top.
Supported Features:
- Hash Tab — 53 Algorithms in 10 Categories:Legacy (MD2, MD4, MD5, GOST R 34.11-94, GOST CryptoPro), SHA-1, SHA-2 family (SHA-224/256/384/512, SHA-512/224/256), SHA-3 family (SHA3-224/256/384/512), Keccak variants (224/256/384/512), BLAKE family (BLAKE2s-256, BLAKE2b-512, BLAKE3), RIPEMD variants (128/160/256/320), Tiger variants (Tiger-192, Tiger2-192, Tiger-128/3, Tiger-160/3), Other crypto (SM3, Whirlpool, Streebog-256/512), and Checksum (Adler-32, xxHash-32/64, xxHash3-64/128, FNV-1/FNV-1a 32/64, JOAAT, MurmurHash3-32/128, CRC-16, CRC-32, CRC-32C, CRC-64).
- HMAC Tab — 28 Cryptographic Algorithms:All algorithms from MD2, MD4, MD5 through SHA-1, SHA-2, SHA-3, Keccak, RIPEMD, SM3, Whirlpool, Streebog, Tiger, and Tiger2. Non-cryptographic checksums (xxHash, CRC, FNV, MurmurHash3, Adler-32) are excluded from HMAC mode as they do not support the HMAC construction.
- Category-Based Algorithm Selection:Toggle individual algorithms or click a category checkbox to select or deselect an entire group at once.
- Dual Input Encoding:Both the message and the HMAC secret key support UTF-8 (plain text) and hexadecimal encoding. Hex mode decodes your input as raw bytes before hashing, useful when working with binary data represented as hex strings.
- 5 Output Formats:Choose from lowercase hex, uppercase hex, colon-separated (e.g., d8:5e:5d...), Base64, or C-style array ({0xd8, 0x5e...}) for all outputs.
- Settings Persistence:Your selected algorithms, output format, active mode, and encoding preferences are automatically saved to localStorage and restored on your next visit.
- Click-to-Copy:Click any result field to copy its value to the clipboard instantly.
- 100% Local Processing:No data — message text, secret key, or computed hashes — is ever sent to a server. Everything runs in your browser using WebAssembly compiled from Rust.
Quick Start:
Hash mode:
- Select the Hash tab (active by default).
- Type or paste your text into the input area.
- Check the algorithms you need in the Options panel. SHA-256 and SHA-512 are selected by default.
- Results appear immediately below the input. Click any field to copy.
HMAC mode:
- Switch to the HMAC tab.
- Enter your secret key in the 'Secret key' field. Choose UTF-8 or Hex encoding for the key.
- Type or paste your message in the input area.
- Select algorithms and output format. HMAC results appear automatically.
Common Use Cases
1. API Request Signing
- AWS Signature Version 4:AWS uses HMAC-SHA256 chained across multiple steps (date, region, service, request) to sign API requests. Reproduce individual signing steps by entering the canonical string and derived signing key.
- REST API Authentication:Many APIs require clients to sign request bodies or headers with HMAC-SHA256 using a shared API secret. Generate and verify these signatures here.
- OAuth 1.0 Signatures:OAuth 1.0 uses HMAC-SHA1 (deprecated but still in use) to sign the base string. Generate the signature by entering the base string and the combined consumer + token secret key.
2. Webhook Signature Verification
- GitHub Webhooks:GitHub signs webhook payloads with HMAC-SHA256 using your secret token. Enter the raw request body and your secret to reproduce the X-Hub-Signature-256 header value.
- Stripe Webhooks:Stripe computes HMAC-SHA256 over 'timestamp.payload'. Enter the signed payload string and your webhook signing secret to verify the Stripe-Signature header.
- Twilio, Shopify, PayPal:Most major webhook providers use HMAC-SHA256. Use HMAC mode with SHA-256 selected to verify any of these signatures.
3. Data Integrity Verification
- Checksum Comparison:Use the Hash tab to generate SHA-256 or BLAKE3 hashes of text data and compare with published checksums.
- Non-Cryptographic Checksums:CRC-32, xxHash, MurmurHash3, and Adler-32 are fast checksums optimized for error detection rather than security — useful in embedded systems, networking, and database contexts.
- Legacy System Compatibility:MD5 and SHA-1 are still widely used in legacy systems for non-security checksums, certificate fingerprints, and Git object identifiers.
4. Development & Security Testing
- JWT Signature Debugging:JWT tokens using HS256, HS384, or HS512 are signed with HMAC-SHA256/384/512. Re-compute the signature by hashing the base64url-encoded header.payload with your secret key to debug or validate tokens.
- Embedded Firmware:Use CRC-16, CRC-32, CRC-32C, or CRC-64 to generate checksums for firmware images. Use the C-style array output format to paste values directly into C/C++ source code.
- Password Hash Research:Compare MD5, SHA-256, SHA-512, BLAKE3, and RIPEMD-160 hash outputs for the same input to understand how different algorithms behave. Note: for actual password storage, use bcrypt, Argon2, or PBKDF2 rather than raw hashes.
- Algorithm Benchmarking:Select multiple algorithms simultaneously and compare digest lengths, output formats, and hex representations to understand trade-offs between algorithms.
Step-by-Step Tutorial
Example 1: Verifying a GitHub Webhook
Goal:Reproduce the X-Hub-Signature-256 header to verify an incoming GitHub webhook.
- Switch to the HMAC tab.
- Paste the raw webhook request body (JSON payload) into the input area. Encoding: UTF-8.
- Enter your GitHub webhook secret in the 'Secret key' field. Encoding: UTF-8.
- Ensure SHA-256 is checked in the algorithm list.
- The computed HMAC-SHA256 should match the value after 'sha256=' in the X-Hub-Signature-256 header.
Payload:{"ref":"refs/heads/main","repository":{"name":"example"}}
Secret key:my_webhook_secret
HMAC-SHA256:(compare with X-Hub-Signature-256 header after 'sha256=')
Example 2: Comparing Hash Algorithm Outputs
Goal:Generate multiple hashes simultaneously to compare output lengths and understand algorithm differences.
- Select the Hash tab.
- Type a short test string like 'Hello, World!' into the input.
- Check MD5, SHA-256, SHA-512, BLAKE3, and RIPEMD-160 in the algorithm list.
- Observe how digest length varies: MD5 is 32 hex chars (128 bits), SHA-256 is 64 chars (256 bits), SHA-512 is 128 chars (512 bits).
- Switch the Output format to 'Colon separated' or 'C-style array' to see the same bytes in different representations.
Input:Hello, World!
- MD5 (128 bit): 65a8e27d8879283831b664bd8b7f0ad4
- SHA-256 (256 bit): dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986d
- BLAKE3 (256 bit): ede5c0b10f2ec4979c69b52f61e42ff5b413519ce09be0f14d098dcfe5f6f98d
- CRC-32 (32 bit): ec4ac3d0
Options
Input
TEXT ModeInput encoding:
Enter a message to compute hashes
Hash mode computes cryptographic hashes of text. For message authentication with a secret key, switch to HMAC mode.