HMAC Generator
Generate HMAC signatures from message and secret with support for SHA-256, SHA-1, SHA-512, Base64 secret input, and HEX/Base64 output.
HEX output
Base64 output
What is an HMAC generator?
An HMAC generator creates a keyed hash-based message authentication code from a message and a secret key.
It is useful for API authentication, webhook signature verification, request signing, and debugging integrations that require HMAC values.
How to use the HMAC Generator
- Choose the HMAC algorithm, such as SHA-256, SHA-1, or SHA-512.
- Paste your message or payload into the first field.
- Enter the secret key.
- Click Generate to get HMAC output in HEX and Base64.
Tips
- Make sure the secret format matches your integration. Some systems use plain text secrets, while others use Base64.
- HEX output is common in documentation and debugging tools.
- Base64 output is useful when APIs expect encoded signatures.
- Everything runs locally in your browser.
Related guides
Learn the workflow behind this tool and what to check next.
How to inspect JWT auth issues
A JWT troubleshooting flow for checking token claims, time values, permissions, and signing assumptions without treating decoding as verification.
How to validate a domain before launch
A launch workflow for confirming DNS records, domain ownership signals, SSL coverage, and security headers on the public endpoint.
HMAC checks before signing or verifying a message
Both sides must use the same secret, algorithm, and exact message bytes. Small serialization differences produce a completely different signature.
Raw message bytes
Verify whether the signature covers the raw body, decoded text, timestamp prefix, canonical string, or another provider-defined payload.
Output format
Confirm whether the expected digest is hexadecimal, Base64, URL-safe Base64, lowercase, uppercase, or prefixed with an algorithm name.
Secret handling
Use a dedicated high-entropy secret, keep it out of logs and client code, and plan a rotation strategy with overlapping keys.
Safe comparison
Production verification should use constant-time comparison and reject stale timestamps or replayed event identifiers when available.
Privacy and usage
Built for quick checks without an account
Toolinix tools are designed for short developer tasks: paste a safe sample, inspect the result, copy what you need, and move on.
No login required
You can use the tools without creating an account, subscribing to a newsletter, or saving a workspace.
Local when possible
Formatters, generators, encoders, and text utilities generally run in your browser. Network diagnostics may need a server-assisted lookup to check public URLs, domains, or IPs.
Keep secrets out
Do not paste production passwords, private keys, access tokens, customer records, or regulated data into online tools unless your own security policy allows it.
Related tools
You may also find these tools useful.