HMAC Generator - HMAC Encrypt

HMAC Generator - Generate Message Authentication Codes Online

A powerful online HMAC generator that creates Hash-based Message Authentication Codes using SHA-256, SHA-512, or SHA-1 algorithms. Perfect for developers implementing API authentication, JWT token signing, webhook verification, and secure data integrity checks. Supports both hexadecimal and base64 output formats.

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic algorithm that combines a hash function with a secret key to create a message authentication code.

Key features:
- Verifies both data integrity and authenticity
- Requires secret key (shared between sender/receiver)
- Based on standard hash functions (SHA-256, SHA-512, etc.)
- Used in APIs, JWTs, webhooks, and secure communications

HMAC = Hash(secret_key + message)

Example:
Message: "Hello, World!"
Secret: "mySecretKey"
HMAC-SHA256: a4e624d686e03ed2767c0abd85c14426b0b1157d2ce81d27bb4fe4bc1e4fa3a6

How do I generate an HMAC?

1. Enter your message/data
2. Enter your secret key
3. Select hash algorithm (SHA-256 recommended)
4. Choose output format (hex or base64)
5. Click 'Generate HMAC'
6. Copy the HMAC code

Example:
Message: "user=john&action=login"
Key: "api_secret_key_123"
Algorithm: HMAC-SHA256
Output: 64-character hex string

The same message + key will always produce the same HMAC.

What is HMAC used for?

HMAC is widely used for secure authentication and integrity verification:

✓ API Authentication:
- AWS signature verification
- GitHub webhooks
- API request signing
- OAuth signatures

✓ JWT (JSON Web Tokens):
- HS256, HS384, HS512 algorithms
- Token signature verification

✓ Message Integrity:
- Webhook payload verification
- Data tampering detection
- Secure message transmission

✓ Session Management:
- Cookie signing
- CSRF token generation
- Session validation

HMAC ensures both authenticity (sender has the key) and integrity (message unchanged).

Which HMAC algorithm should I use?

Choose based on your security needs:

HMAC-SHA256 (Recommended):
✓ Industry standard
✓ Fast and secure
✓ 64-character hex output
✓ Used by most APIs
✓ JWT HS256

HMAC-SHA512 (More Secure):
✓ Maximum security
✓ 128-character hex output
✓ Better for high-value data
✓ JWT HS512

HMAC-SHA1 (Legacy):
⚠️ Deprecated for new projects
✓ Only for legacy compatibility
✓ 40-character hex output

For most applications: Use HMAC-SHA256
For maximum security: Use HMAC-SHA512
Avoid SHA-1 for new projects.

How does HMAC verify messages?

HMAC verification process:

1. Sender:
- Creates message
- Generates HMAC with secret key
- Sends message + HMAC

2. Receiver:
- Receives message + HMAC
- Generates HMAC from message using same key
- Compares generated HMAC with received HMAC
- Match = authentic, no tampering
- Mismatch = reject (tampered or wrong key)

Example:
Message: "transfer $100"
Key: "shared_secret"
HMAC: abc123...

If attacker changes to "transfer $1000":
- New HMAC won't match
- Receiver rejects the message

HMAC protects against tampering and ensures sender authenticity.

Can I use HMAC for passwords?

NO! HMAC is NOT for password hashing.

HMAC:
✓ Message authentication
✓ API signatures
✓ Data integrity
✗ NOT password storage

For passwords, use:
✓ bcrypt (recommended)
✓ Argon2 (modern)
✓ PBKDF2 (acceptable)

Why?
- HMAC is fast (not good for passwords)
- HMAC needs a key (passwords are the secret)
- HMAC doesn't use salt properly for passwords

HMAC and password hashing serve different purposes!

Key Features

• Generate HMAC from any message instantly
• Support for SHA-256, SHA-512, and SHA-1
• Hexadecimal or Base64 output format
• Secret key with show/hide toggle
• Web Crypto API for secure hashing
• Copy HMAC to clipboard
• Download HMAC as text file
• Algorithm and output info display
• Dark mode support
• 100% client-side processing
• Works offline
• No registration required