HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the *data integrity* and *authenticity* of a message. It combines a hash function (like SHA-256) with a *secret key*. The result is a 'digest' or 'signature' that proves the message hasn't been tampered with and was created by someone who knows the key.

What is the difference between Hash (SHA-256) and HMAC-SHA256?

A standard SHA-256 hash proves *integrity* (that a file hasn't changed). HMAC-SHA256 proves *integrity* AND *authenticity*. An attacker could intercept a message, change it, and create a new SHA-256 hash. They *cannot* create a new HMAC-SHA256 hash because they don't have the *secret key*.

Is HMAC a form of encryption?

No. This is a critical distinction. HMAC is *not* encryption; it is *authentication*. It provides no *confidentiality*—the message itself is still sent in plaintext. It simply ensures the message is from a trusted source and hasn't been altered. To hide the message, you must encrypt it separately (e.g., with AES).

What is HMAC used for?

The most common uses are: 1) **API Security:** Signing API requests to prove they are from an authorized user (e.g., AWS, Stripe APIs). 2) **JWTs (JSON Web Tokens):** The signature part of a JWT is an HMAC that verifies the token hasn't been tampered with. 3) **Webhooks:** Verifying that a webhook payload (from sources like GitHub or Slack) is legitimate.

HMAC Generator (SHA-256, SHA-512)

Generate HMAC hashes for message authentication using a secret key.

Input Message

Algorithm

Secret Key

HMAC Digest (Hex)

Your Security Matters: Client-Side Processing

All operations happen in your browser.
Your data, images, files, keys, or passwords are never stored or sent to our servers.
We don't track or monitor your generated content.

What is HMAC (Hash-based Message Authentication Code)?

HMAC is a **message authentication code** (MAC). Its purpose is to verify both the **data integrity** and the **authenticity** of a message.

The Problem (Hash vs. HMAC): A standard hash function (like SHA-256) only guarantees *integrity*. If you receive a message and its SHA-256 hash, you can confirm the message wasn't changed *in transit*. However, an attacker could intercept the message, change it, create a *new* SHA-256 hash for the changed message, and send both to you. You would have no way of knowing it's a fake.

The Solution (HMAC): HMAC solves this by introducing a **secret key** that only the sender and receiver know. It combines the hash function with this secret key.

Now, an attacker cannot forge the signature. If they change the message, they would need the secret key to create a valid HMAC hash. Without the key, any hash they generate will be incorrect, and the receiver will immediately know the message has been tampered with.

Key Use Cases for this Generator:

API Security: Most modern APIs (like AWS, Stripe, etc.) use HMAC to sign requests. The server and client both have a "secret key," and every request is signed. This proves the request is from an authorized user and wasn't altered.
JWT (JSON Web Tokens): The `HS256` (HMAC-SHA256) algorithm is the most common way to create the signature for a JWT. This signature verifies that the token's payload hasn't been tampered with.
Secure Webhooks: Services like GitHub or Slack use HMAC to sign their webhook payloads, allowing your server to verify that the incoming data is *actually* from them.

HMAC-SHA256 Examples

Loading HMAC examples...

HMAC Best Practices & Key Concepts

🚫

HMAC is Authentication, Not Encryption

This is the most critical concept. HMAC provides **no confidentiality**. The message remains plaintext. It only *proves* the message is authentic and unaltered. If you need to hide the data, you must **encrypt it first** (e.g., with AES) and *then* HMAC the *encrypted* data (Encrypt-then-MAC).

🔑

The Secret Key is Everything

The security of HMAC does not depend on the security of the hash function (like SHA-256) alone. It relies **entirely on the secrecy of the key**. Your key should be a long, random, and cryptographically secure string. A weak, guessable key ("password123") makes HMAC useless.

✅

HMAC-SHA256 is the Standard

While HMAC can be used with any hash function, **HMAC-SHA256** is the modern standard for almost all applications, including JWTs and most APIs. HMAC-SHA1 is considered weak (as SHA-1 is weak) and HMAC-MD5 is broken (as MD5 is broken). Use HMAC-SHA256 or HMAC-SHA512.