How to Generate an HMAC Signature (2026)
By Rui Barreira · Last updated: 18 June 2026
HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message. It combines a cryptographic hash function with a secret key, producing a signature that only someone who holds the key can reproduce. APIs, webhooks, and inter-service communication rely on HMAC to confirm that a request came from a trusted source and was not tampered with in transit. The HMAC Generator computes a valid signature in your browser without sending your key or message anywhere.
How HMAC Works
HMAC runs your message and secret key through two rounds of hashing using a padding scheme defined in RFC 2104. The result is a fixed-length digest — the signature. Any change to the message, even a single character, produces a completely different digest. Because the key is mixed into the hash, an attacker who intercepts the message cannot forge a matching signature without knowing the key. The receiver recomputes the HMAC using the same key and compares it to the one sent alongside the message; a match confirms both authenticity and integrity.
| Algorithm | Output Length | Common Use |
|---|---|---|
| HMAC-SHA1 | 160 bits / 40 hex chars | Legacy APIs, Git commit signing |
| HMAC-SHA256 | 256 bits / 64 hex chars | AWS Signature V4, Stripe webhooks, JWT HS256 |
| HMAC-SHA384 | 384 bits / 96 hex chars | High-assurance financial APIs |
| HMAC-SHA512 | 512 bits / 128 hex chars | Maximum security, token signing |
Generating and Verifying an HMAC
To generate a signature: choose a hash algorithm (SHA-256 is the current standard), provide your secret key, and pass in the message — typically the raw request body or a canonical string assembled from request parameters. The output is a hex or Base64 string that you attach to the request as a header (for example X-Hub-Signature-256 on GitHub webhooks) or include as a query parameter.
To verify on the receiving end, recompute the HMAC with the same key and message, then compare the result to the incoming signature using a constant-time comparison function. Avoid a simple string equality check — it is vulnerable to timing attacks that can leak information about where two strings first differ.
Key Hygiene and Common Mistakes
The security of HMAC is entirely dependent on the secrecy of the key. Use a randomly generated key of at least 32 bytes — never a human-readable password or a derivation of the payload itself. Rotate keys on a schedule and immediately after any suspected exposure. A frequent mistake is signing only part of the message, which lets an attacker modify unsigned fields while keeping the signature valid. Always sign the complete canonical representation of the data you intend to protect.
Use the HMAC Generator to do this instantly.
Frequently Asked Questions
- Is this tool free?
- Yes — completely free, no signup required. All processing happens in your browser.
- Does the tool work offline?
- Once loaded, most features work without an internet connection since everything runs client-side.