Monu Tools

HMAC Generator

Generate an HMAC for a message and secret key using SHA-1, SHA-256, SHA-384 or SHA-512, in your browser.

How to use the HMAC

  1. 01

    Pick a hash algorithm.

  2. 02

    Enter your secret key and the message.

  3. 03

    Copy the HMAC, shown as a hex digest.

Sign a message with a key

An HMAC generator that signs a message with a secret key using SHA-1, SHA-256, SHA-384 or SHA-512, and shows the result as a hex digest. Pick an algorithm, enter the key and the message, and copy the signature.

What an HMAC proves

HMAC stands for hash-based message authentication code. It is a keyed hash: combining a secret key with the message proves two things at once, that the message was created by someone who holds the key, and that it has not been altered in transit.

The difference from a plain hash is the key. Anyone can compute a SHA-256 of a message, but only someone with the shared secret can produce the correct HMAC, which is what turns a checksum into proof of authenticity.

Where HMAC shows up

That is why it is everywhere in web infrastructure. Webhooks from services like Stripe, GitHub and Slack sign each request with an HMAC so your server can verify the call really came from them, and many APIs sign requests the same way.

Choosing an algorithm

SHA-256 is the common default; SHA-384 and SHA-512 are stronger, while SHA-1 is legacy and best avoided for new systems.

Security note

It runs locally with the Web Crypto API, so your key and message are never uploaded, which is important since the key is a secret.

Frequently asked questions

What is an HMAC?

A keyed hash that proves a message was created by someone holding the secret key and was not altered. It is widely used for API request signing and webhooks.

Is my secret sent anywhere?

No. The HMAC is computed in your browser with the Web Crypto API, so the key and message never leave your device.

Which algorithm should I use?

SHA-256 is the common default. SHA-384 and SHA-512 are stronger; SHA-1 is legacy and best avoided for new systems.

How is HMAC different from a plain hash?

A plain hash anyone can compute. HMAC mixes in a secret key, so only someone with the key can produce the right value, which proves authenticity, not just integrity.

How do webhooks use HMAC?

The sender signs each request body with a shared secret and includes the HMAC in a header. Your server recomputes the HMAC and compares, confirming the request is genuine and unchanged.

Sources

Embed this tool

Add this tool to your own website. Copy the snippet below; it stays up to date automatically.

<iframe src="https://monu.tools/embed/en/hmac-generator" width="100%" height="640" style="border:1px solid #e5e5e5;border-radius:12px;max-width:680px" loading="lazy" title="Monu Tools"></iframe>

Learn more

Related tools