HMAC Generator

How to Use the HMAC Generator

The HMAC Generator creates a Hash-based Message Authentication Code by combining a secret key with a message using a cryptographic hash function. HMAC is used to verify both the data integrity and authenticity of a message.

How HMAC Works

HMAC combines a secret key with the message data through two rounds of hashing. The formula is: HMAC(K, m) = H((K' XOR opad) || H((K' XOR ipad) || m)), where H is the hash function, K' is the derived key, and opad/ipad are padding constants. This construction prevents length extension attacks that affect plain hash functions.

Using This Tool

Select a hash algorithm (SHA-256, SHA-512, or SHA-1), enter your secret key, type or paste your message, and click Generate. The HMAC is computed in your browser using the Web Crypto API. Your key and message never leave your device.

Common HMAC Applications

HMAC is used in API authentication (e.g., AWS Signature V4), JWT token signing, webhook signature verification (e.g., GitHub, Stripe), and secure cookie signing. HMAC-SHA256 is the most common choice for new implementations.

Frequently Asked Questions

Q: What is the difference between HMAC and a regular hash?

A: A regular hash only ensures data integrity. HMAC adds a secret key, so only parties who know the key can generate or verify the code. This provides both integrity and authentication.

Q: Which HMAC algorithm should I use?

A: HMAC-SHA256 is recommended for most applications. Use HMAC-SHA512 for extra security margin. Avoid HMAC-SHA1 for new projects unless required for compatibility.

Q: Is HMAC-SHA1 still secure?

A: Unlike plain SHA-1, HMAC-SHA1 is not directly affected by collision attacks and is still considered secure for authentication. However, HMAC-SHA256 is preferred for new implementations.