What is the difference between HMAC and a regular hash?

A regular hash only provides integrity. HMAC combines a hash with a secret key, providing both integrity and authentication.

How long should my HMAC secret key be?

At least as long as the hash output (32 bytes for SHA-256, 64 bytes for SHA-512). Use a cryptographically random key.

Is HMAC-SHA1 still secure?

Yes, HMAC-SHA1 remains secure due to HMAC's construction, but SHA-256 is preferred for new implementations.

Can HMAC be used for password hashing?

No. HMAC is fast by design. Use bcrypt, scrypt, or Argon2 for password hashing.

Does the same key + message always produce the same HMAC?

Yes. HMAC is deterministic — same key, message, and algorithm always produce the same output.

🧪 Security & Encryption

Free Online HMAC Generator

Generate HMAC (Hash-based Message Authentication Code) signatures instantly. Supports SHA-256, SHA-512, and SHA-1 algorithms. No data is stored or transmitted — everything runs in your browser.

Hash Algorithm

Secret Key

Message

HMAC Output

✓ Copied!

Your HMAC signature will appear here…

Recent HMACs

No HMACs generated yet. Enter a key and message, then click "Generate HMAC" to start.

How to Use This HMAC Generator

Choose Algorithm

Select the hash algorithm: SHA-256 (most common), SHA-512, SHA-384, or SHA-1.

Enter Key & Message

Provide a secret key and the message you want to authenticate.

Generate & Copy

Click Generate to compute the HMAC, then copy the signature with one click.

What Is HMAC?

HMAC (Hash-based Message Authentication Code) is a mechanism for computing a message authentication code using a cryptographic hash function combined with a secret key. Defined in RFC 2104, HMAC provides both data integrity and message authentication — it proves that a message hasn't been tampered with and that it was sent by someone who knows the secret key.

The formula is: HMAC(K, M) = H((K' ⊕ opad) || H((K' ⊕ ipad) || M)) — where K is the key, M is the message, H is the hash function, and ipad/opad are inner/outer padding constants. This double-hashing construction makes HMAC resistant to length-extension attacks that affect plain hash functions.

Common Uses of HMAC

API authentication. Most REST APIs use HMAC signatures to authenticate requests. Services like AWS, Stripe, and Twilio require clients to sign API requests with HMAC-SHA256 using a secret key. The server recomputes the HMAC to verify the request is authentic and unmodified.

Webhook verification. When services send webhook notifications (GitHub, Shopify, Slack), they include an HMAC signature in the headers. Your server recomputes the HMAC using your shared secret to verify the webhook is genuine and hasn't been forged.

JWT (JSON Web Tokens). JWTs signed with the HS256 algorithm use HMAC-SHA256 to create the signature segment. The server verifies the token's integrity and authenticity by recomputing the HMAC with its secret key.

Secure cookie signing. Web frameworks like Laravel, Django, and Express sign session cookies with HMAC to prevent tampering. If a user modifies the cookie value, the HMAC verification fails and the session is rejected.

Which Algorithm Should I Use?

HMAC-SHA256 is the most widely used and recommended choice for new implementations. It provides 256-bit security, is supported everywhere, and is required by most modern API standards.

HMAC-SHA512 is preferred on 64-bit systems where it is actually faster than SHA-256, and provides a larger security margin for high-assurance applications.

HMAC-SHA1 — while SHA-1 alone has known collision vulnerabilities, HMAC-SHA1 remains secure due to HMAC's construction. However, it's being phased out in favour of SHA-256 for compliance reasons.

Is This HMAC Generator Safe?

Yes. This tool uses the browser's native Web Crypto API (crypto.subtle.sign) — the same cryptographic engine used for HTTPS. No keys, messages, or HMACs are transmitted to any server. Everything runs entirely in your browser.

Frequently Asked Questions

A regular hash (SHA-256) only provides integrity — anyone can compute it. HMAC combines a hash with a secret key, providing both integrity and authentication. Only someone with the key can create or verify the HMAC.

Your key should be at least as long as the hash output (32 bytes for SHA-256, 64 bytes for SHA-512). Shorter keys are padded, longer keys are hashed first. Use a cryptographically random key — never a human-chosen password.

Yes. While SHA-1 itself has collision vulnerabilities, HMAC-SHA1 remains secure because HMAC's construction doesn't rely on collision resistance. However, SHA-256 is preferred for new implementations.

No. HMAC is fast by design, which makes it unsuitable for password storage. Use bcrypt, scrypt, or Argon2 for passwords — they are intentionally slow to resist brute-force attacks.

Yes. HMAC is deterministic — the same key, message, and algorithm always produce the same output. This is what makes verification possible.

🧪 Tool Features

✓

SHA-1, SHA-256, SHA-384, SHA-512 support

✓

Uses native Web Crypto API

✓

100% client-side — no server calls

✓

Show/hide secret key toggle

✓

Uppercase & lowercase output toggle

✓

One-click copy to clipboard

✓

No login or signup required

Need Custom Security Software?

Strong Webtech builds secure applications, encrypted platforms, and custom authentication systems for businesses in Lucknow.

Get Free Quote →