Generate an HMAC for a message and secret key using SHA-1, SHA-256, SHA-384 or SHA-512, in your browser.
How to use the HMAC
Pick a hash algorithm.
Enter your secret key and the message.
Copy the HMAC, shown as a hex digest.
An HMAC generator that signs a message with a secret key using SHA-1, SHA-256, SHA-384 or SHA-512, and shows the result as a hex digest. Pick an algorithm, enter the key and the message, and copy the signature.
HMAC stands for hash-based message authentication code. It is a keyed hash: combining a secret key with the message proves two things at once, that the message was created by someone who holds the key, and that it has not been altered in transit.
The difference from a plain hash is the key. Anyone can compute a SHA-256 of a message, but only someone with the shared secret can produce the correct HMAC, which is what turns a checksum into proof of authenticity.
That is why it is everywhere in web infrastructure. Webhooks from services like Stripe, GitHub and Slack sign each request with an HMAC so your server can verify the call really came from them, and many APIs sign requests the same way.
SHA-256 is the common default; SHA-384 and SHA-512 are stronger, while SHA-1 is legacy and best avoided for new systems.
It runs locally with the Web Crypto API, so your key and message are never uploaded, which is important since the key is a secret.
Frequently asked questions
A keyed hash that proves a message was created by someone holding the secret key and was not altered. It is widely used for API request signing and webhooks.
No. The HMAC is computed in your browser with the Web Crypto API, so the key and message never leave your device.
SHA-256 is the common default. SHA-384 and SHA-512 are stronger; SHA-1 is legacy and best avoided for new systems.
A plain hash anyone can compute. HMAC mixes in a secret key, so only someone with the key can produce the right value, which proves authenticity, not just integrity.
The sender signs each request body with a shared secret and includes the HMAC in a header. Your server recomputes the HMAC and compares, confirming the request is genuine and unchanged.
Embed this tool
Add this tool to your own website. Copy the snippet below; it stays up to date automatically.
<iframe src="https://monu.tools/embed/en/hmac-generator" width="100%" height="640" style="border:1px solid #e5e5e5;border-radius:12px;max-width:680px" loading="lazy" title="Monu Tools"></iframe>Learn more
How Webhook Signatures Work: HMAC, Shared Secrets, and Timing-Safe Checks
How Stripe and GitHub prove a webhook is genuine using HMAC and a shared secret, and the timing-safe comparison most developers get wrong.
Base64 Explained: Why Encoding Is Not Encryption
What Base64 actually does, why it makes data about a third larger, when to use it, and why it protects nothing on its own.
URL Encoding Explained: When and Why to Percent-Encode
Why URLs use %20 and other percent codes, which characters are safe, and when to reach for encodeURIComponent instead of encodeURI.
How to Read a JWT, and Why Decoding Is Not Verifying
A JWT is three Base64url parts anyone can read. Learn how to decode one, what each part means, and why decoding proves nothing.
Hashing vs Encryption: What a Hash Can and Cannot Do
Hashing is one-way and keyless; encryption is two-way and needs a key. Learn the difference, why you cannot decrypt a hash, and when to use each.
How Passwords Should Be Stored: Salting, bcrypt, and Why Not SHA-256
Why a fast hash like SHA-256 is wrong for passwords, what a salt does, and why bcrypt, scrypt, and Argon2 are the right tools.
Related tools
Encode text to Base64 or decode Base64 back to text. UTF-8 safe with automatic direction detection.
Percent-encode and decode URLs and URL components, UTF-8 safe.
Decode a JSON Web Token to inspect its header and payload, with human-readable expiry and issue times. Runs entirely in your browser; tokens are never uploaded.
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes of any text, right in your browser.