HMAC Generator

Compute Hash-Based Message Authentication Code (HMAC) using industry-standard hash functions. Verify message integrity and authenticity with a shared secret — fully client-side.

Keep key confidential. For production, use cryptographically random keys (≥ 32 bytes).
Test Vectors:
RFC 2202 Test (key: 'key', msg: 'The quick brown fox jumps over the lazy dog')
API Request Signing: POST /payment
Webhook Secret: payload={"event":"order"}
Zero-knowledge design: Keys and messages never leave your browser. HMAC computation is performed locally using Web Crypto API & CryptoJS.

What is HMAC? The Cornerstone of Authenticated Communication

HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message using a shared secret key. Unlike ordinary hash functions (MD5, SHA-256) which only ensure data hasn't been accidentally corrupted, HMAC protects against deliberate tampering because an attacker without the secret key cannot produce a valid MAC. Defined in RFC 2104 and FIPS PUB 198-1, HMAC is widely adopted in API authentication (AWS Signature V4), JWT (with HS256), webhook security, and secure banking protocols.

HMAC(K, m) = H((K ⊕ opad) ∥ H((K ⊕ ipad) ∥ m))

Where H is a cryptographic hash function (SHA-256, etc.), K is the secret key padded to block size, ipad/opad are inner/outer padding constants. This construction prevents length extension attacks and provides proven security reduction to the underlying hash.

Why HMAC over plain hashes?

  • Authentication: Only parties who know the secret key can generate valid HMACs.
  • Integrity: Any change in the message (even 1 bit) produces a completely different HMAC.
  • Resistance to length extension: Simple SHA(key + message) is vulnerable; HMAC is not.
  • Industry Standards: Used in TLS, OAuth 2.0, AWS, Stripe webhooks, and more.

Security Guidance & Algorithm Selection

Algorithm Output Length Security Status Recommended Use
HMAC-MD5 128 bits Broken / collision vulnerable Avoid; legacy compatibility only
HMAC-SHA1 160 bits Theoretically weak (deprecated) Not recommended for new systems
HMAC-SHA256 256 bits Secure (standard) Default choice for most applications
HMAC-SHA512 512 bits Extremely secure High-security environments, compliance

NIST SP 800-107 recommends HMAC with SHA-256 or stronger for all new deployments. For API signing, always use at least SHA-256 and a key of equal or larger bit strength.

Real-world Case Study: Webhook Signature Verification

E-commerce platforms like Shopify or Stripe send webhook events (e.g., "payment succeeded") to merchant endpoints. To verify the webhook truly originated from the provider, they include an HMAC-SHA256 signature header computed using a shared secret. The merchant recomputes the HMAC locally using the received payload and secret; if signatures match, the event is authentic. Our tool replicates this exact logic — developers can test payloads and secrets before integration.

Step-by-step Usage & Best Practices

  1. Select a secure algorithm: Prefer SHA-256 or SHA-512. Avoid MD5/SHA-1.
  2. Generate a strong secret key: Use at least 32 random bytes (e.g., from a CSPRNG). Never hardcode keys in client-side code for production, but for testing this tool is safe.
  3. Enter the message payload: Can be JSON, URL parameters, or plain text.
  4. Compute HMAC: Click generate and copy the resulting digest.
  5. Verification: Paste an existing HMAC signature into the verify field to check message authenticity.

Frequently Asked Questions

No. HMAC uses symmetric keys (same key for signer and verifier), while digital signatures use asymmetric cryptography (public/private keys). HMAC is faster but requires secure key distribution.

RFC 2104 recommends keys at least as long as the hash output (e.g., 256 bits for SHA-256). Longer keys are fine but are hashed to the block size.

Absolutely. HS256 = HMAC with SHA-256. You can test JWT header/payload combinations before encoding with base64url.

Yes, all computation occurs locally in your browser. No data is transmitted. However, avoid exposing real production keys in browser developer tools if using shared computers.

Trusted cryptographic reference: This tool implements HMAC as per RFC 2104 and FIPS 198-1. The implementation is powered by the Web Crypto API (when available) and CryptoJS fallback, ensuring compliance with NIST standards. Validated against official test vectors from RFC 2202 and 4231. Reviewed by  GetZenQuery Tech team. Our team includes contributors with OSCP and CISSP certifications, ensuring enterprise-grade security practices.

References: RFC 2104 - HMAC | FIPS 198-1 | HMAC on Wikipedia | Cryptographic analysis