Computes HMAC-SHA256, HMAC-SHA512, HMAC-SHA384, and HMAC-SHA1 simultaneously from a single message and key input, so you can compare outputs or pick the right one for your use case.
HMACs update instantly as you type — no button press required. Useful for debugging API signatures and webhook verification where you need to test different key or message combinations quickly.
Switch between lowercase hex and Base64 output with one click. Most APIs (AWS, Stripe, GitHub) use hex; some use Base64. Both formats represent the same underlying HMAC value.
All HMAC computation uses the browser Web Crypto API — your message and secret key never leave your device. Safe for computing API signatures with real production keys.
HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message. It combines a cryptographic hash function (like SHA-256) with a secret key, producing a fixed-size signature. Only someone with the same secret key can reproduce the same HMAC.
HMAC-SHA256 is used to sign API requests (e.g. AWS Signature v4, Stripe webhooks, GitHub webhooks), verify JWT signatures (HS256), authenticate WebSocket connections, and secure cookies. It is the most widely deployed HMAC variant.
No. A plain hash (like SHA-256) can be computed by anyone and does not prove authenticity. HMAC requires a secret key, so only parties that share the key can compute or verify the code. This makes HMAC suitable for authentication, while plain hashes are used for integrity and checksums.
Concatenate the components you want to sign (method, path, timestamp, body hash, etc.) into a canonical string, then compute HMAC-SHA256 of that string using your API secret key. Include the resulting hex or Base64 value in the Authorization header. Most API documentation specifies the exact canonical string format.