What is HMAC used for?

Verifying that a message hasn't been tampered with and was sent by someone who knows the secret. Common in webhook signing and API authentication.

Is my secret safe to paste here?

Computation happens entirely in your browser; nothing is uploaded. That said, treat any production secret like a password — clear it after use.

How is HMAC different from a plain hash?

A plain hash anyone can produce. An HMAC requires the shared secret, so only parties with that key can verify it.

Developer Tools

HMAC Generator

Generate HMAC-SHA256 / SHA-1 / SHA-512 signatures from a message and secret key.

Message

Secret key

Algorithm

Signature (hex)

Files processed in your browser

Your files never leave your device. No upload, no servers.

About HMAC Generator

HMAC Generator computes a Hash-based Message Authentication Code (HMAC) using a shared secret and a hash algorithm. Used by webhook signing (Stripe, GitHub, Slack), API request signing (AWS, Twilio), and JWT HS256 tokens. Uses the WebCrypto subtle API. Runs in your browser — your secret never leaves the page, never appears in server logs, and never crosses the network. That's the only safe way to use a real production secret in a web tool. Pasting your Stripe webhook signing secret into a third-party site that does the math server-side is a credential leak you can't undo. The output is shown in both lowercase hex (the format most webhook providers send) and Base64 (used by some signing schemes). Switch between SHA-256, SHA-1, and SHA-512 to match whichever algorithm your provider uses. SHA-256 is the modern default — it's what Stripe, GitHub, Slack, Twilio, and most modern services use.

How HMAC Generator works

Paste your message (the webhook payload, the canonical request, or whatever you want to sign).
Paste your shared secret (the signing key the provider gave you, or the one you generated).
Pick an algorithm: SHA-256 (most common), SHA-1 (legacy), or SHA-512 (extra strength).
WebCrypto's subtle.sign computes the HMAC entirely in your browser.
Compare the hex or Base64 output against the signature header from the provider to verify.

When to use HMAC Generator

Verify a Stripe webhook by computing HMAC-SHA256 of the raw payload with your endpoint secret.
Validate a GitHub webhook X-Hub-Signature-256 against your repo's webhook secret.
Sign an AWS API request when implementing Signature Version 4 by hand for debugging.
Generate the signature for a Twilio webhook to confirm a request really came from Twilio.
Mint short-lived signed URLs (e.g. CDN access tokens) where you control both sides.
Reproduce a JWT HS256 signature for inspection or test fixture generation.

Why choose Utilix HMAC Generator

Secrets stay local — your browser computes the HMAC, no third-party server sees the key.
Hex and Base64 outputs covered, matching whichever format your provider uses.
WebCrypto is hardened, audited, and side-channel-resistant — the right choice for cryptography.
Three SHA variants in one tool — no need to find separate sites for SHA-1, SHA-256, and SHA-512.
No signup, no telemetry, no daily limit.