Web Tools
HMAC Generator
Generate HMAC-SHA-256 message authentication codes from any message and secret key. Supports hex, base64, and base64url output formats. Pure JavaScript implementation of SHA-256 (FIPS 180-4) and HMAC (RFC 2104). Runs entirely in your browser — your data never leaves your machine.
hmac sha256 hash authentication signature security
Published May 30, 2026
All interactive tools run entirely in your browser. Your data never leaves your device.
How It Works
Enter a secret key and a message to compute the HMAC-SHA-256 signature in real time. The tool implements the full HMAC algorithm (RFC 2104) on top of a pure JavaScript SHA-256 (FIPS 180-4) — no Web Crypto API or external dependencies.
Output Formats
- Hex: lowercase hexadecimal string (64 characters)
- Base64: standard base64 encoding
- Base64URL: URL-safe base64 (no padding,
+/replaced with-_)
Features
- HMAC-SHA-256: industry-standard message authentication
- Pure JavaScript: SHA-256 + HMAC implemented from scratch, no dependencies
- Multiple formats: hex, base64, base64url output
- Comparison hash: also shows plain SHA-256 of the message (without key)
- Key info: displays key and message byte lengths
- 5 examples: API signing, webhook verification, JWT, token generation, password hashing
- Private: runs entirely in the browser — no data transmitted
Use Cases
- Verifying webhook signatures (GitHub, Stripe, Slack)
- Generating API request signatures (AWS Signature V4, etc.)
- Creating signed tokens and session identifiers
- Validating message integrity and authenticity
- Learning about HMAC construction and cryptographic hashing