HMAC Generator

All tools

Generate HMAC signatures from message and secret with support for SHA-256, SHA-1, SHA-512, Base64 secret input, and HEX/Base64 output.

Options

HEX output

Base64 output

What is an HMAC generator?

An HMAC generator creates a keyed hash-based message authentication code from a message and a secret key.

It is useful for API authentication, webhook signature verification, request signing, and debugging integrations that require HMAC values.

How to use the HMAC Generator

  1. Choose the HMAC algorithm, such as SHA-256, SHA-1, or SHA-512.
  2. Paste your message or payload into the first field.
  3. Enter the secret key.
  4. Click Generate to get HMAC output in HEX and Base64.

Tips

  • Make sure the secret format matches your integration. Some systems use plain text secrets, while others use Base64.
  • HEX output is common in documentation and debugging tools.
  • Base64 output is useful when APIs expect encoded signatures.
  • Everything runs locally in your browser.

Related guides

Learn the workflow behind this tool and what to check next.

HMAC checks before signing or verifying a message

Both sides must use the same secret, algorithm, and exact message bytes. Small serialization differences produce a completely different signature.

Raw message bytes

Verify whether the signature covers the raw body, decoded text, timestamp prefix, canonical string, or another provider-defined payload.

Output format

Confirm whether the expected digest is hexadecimal, Base64, URL-safe Base64, lowercase, uppercase, or prefixed with an algorithm name.

Secret handling

Use a dedicated high-entropy secret, keep it out of logs and client code, and plan a rotation strategy with overlapping keys.

Safe comparison

Production verification should use constant-time comparison and reject stale timestamps or replayed event identifiers when available.

Privacy and usage

Built for quick checks without an account

Toolinix tools are designed for short developer tasks: paste a safe sample, inspect the result, copy what you need, and move on.

No login required

You can use the tools without creating an account, subscribing to a newsletter, or saving a workspace.

Local when possible

Formatters, generators, encoders, and text utilities generally run in your browser. Network diagnostics may need a server-assisted lookup to check public URLs, domains, or IPs.

Keep secrets out

Do not paste production passwords, private keys, access tokens, customer records, or regulated data into online tools unless your own security policy allows it.

Related tools

You may also find these tools useful.

HMAC Generator FAQ

Is my secret sent to the server?
No. Everything runs locally in your browser.
What algorithms are supported?
This tool supports HMAC-SHA-256, HMAC-SHA-1, and HMAC-SHA-512.
Can I use a Base64 secret?
Yes. Enable the option that tells the tool your secret is Base64-encoded.