HMAC Generator
Generate HMAC signatures in your browser from text or local files, then compare expected headers with SHA choices and byte encodings.{{ signatureArtifact }}
| {{ header }} | Copy |
|---|---|
| {{ cell.value }} {{ cell.value }} |
Introduction
A signed webhook, callback, or API request is judged by bytes, not by how the text looks on screen. One service may sign a raw JSON body, another may sign a canonical request string, and a third may prepend a timestamp before the body. If the receiver repeats the calculation over even one different byte, the authentication code changes completely.
A hash-based message authentication code, usually shortened to HMAC, is a keyed integrity check. The sender and receiver share a secret key. The sender combines that key with the message and a cryptographic hash function, then sends the resulting digest text as a header, token, or test vector. The receiver repeats the same calculation with its copy of the secret. A byte-for-byte match is evidence that the signed content was not changed and that the signer knew the shared key.
HMAC is easy to confuse with nearby security tools. A plain hash such as SHA-256 can detect accidental changes, but anyone can recompute it. Encryption hides content, but it does not by itself prove who prepared the content. A public-key digital signature uses separate private and public keys. HMAC is symmetric: the same shared secret gives both sides the ability to create valid codes, which makes secret handling as important as the hash choice.
- Signed bytes
- The exact message byte sequence after text encoding, byte decoding, and any documented newline treatment.
- Shared secret
- The key known by the signer and verifier. Anyone who learns it can create valid HMAC values.
- Hash family
- The digest algorithm inside the HMAC construction, such as SHA-256, SHA-512, SHA-1, RIPEMD-160, or MD5.
- Digest text
- The raw HMAC bytes displayed as lowercase hex, uppercase hex, Base64, or Base64URL.
- Header prefix
- Provider text such as
sha256=,sha1=, orv1=placed before the digest after the HMAC has already been calculated.
Most HMAC debugging comes down to matching the signing recipe exactly. Webhook providers commonly use SHA-256 with a prefix such as sha256=. Some older services still publish SHA-1, RIPEMD-160, or MD5 examples. Token and URL workflows may prefer Base64URL because it avoids +, /, and padding characters that need escaping. None of those display choices repair a mismatch caused by signing the wrong body, trimming the wrong newline, or decoding the secret in the wrong encoding.
A matching HMAC is a narrow result. It confirms that the same message, secret, hash family, and byte treatment produced the same authentication code. It does not make the message confidential, prove that the account is trustworthy, or remove the need to protect and rotate shared secrets.
How to Use This Tool:
Use the generator as a byte-for-byte signing workspace: set the message and secret encodings first, match the verifier's algorithm and display format, then compare the generated value against the expected header or digest.
- Enter the exact content in
Message to sign, or load a local TXT, JSON, CSV, or log file withBrowse text. The local text-file limit is 512 KB, and whitespace is part of the signed message. - Choose
Message encoding. UseUTF-8 textfor raw webhook bodies and canonical strings. UseHex bytes,Base64 bytes, orBase64URL bytesonly when the message box already contains encoded bytes. - Enter
Secret keyand chooseKey encoding.Generate test keycreates a local 32-byte Base64URL test secret for examples and test vectors, not a production secret-management workflow. - Set
Algorithmto the verifier's exact HMAC hash. The supported options are HMAC-SHA-256, SHA-512, SHA-384, SHA-224, SHA-1, RIPEMD-160, and MD5. - Set
Output formatandHeader prefix. The prefix is added to the copied header value after digest generation, so switching fromsha256=tov1=does not change the raw digest bytes. - Paste an optional
Expected signature. LeaveExpected formatonAuto detectfor ordinary provider headers, or pinHex,Base64, orBase64URLwhen the expected value is ambiguous. - Open
Advancedonly when the signing specification names a text treatment rule.Exact textsigns the message as entered,Trim one final newlineremoves one trailing line break, andNormalize CRLF to LFchanges Windows-style line endings before signing. - Copy the header or digest only after the summary shows a ready signature or a successful match. If the summary reports an input issue, fix the missing secret, malformed byte encoding, invalid expected value, or oversized file before copying.
Interpreting Results:
The top signature field shows the current generated value. Copy header includes the selected prefix when one is active, while Copy digest copies only the digest text. The HMAC Signature tab repeats the current artifact in a compact text form.
| Status or cue | Meaning | What to check next |
|---|---|---|
Signature match |
The generated HMAC bytes match the pasted expected value after prefix removal and decoding. | Confirm that the message, secret, algorithm, encoding choices, and text treatment are the intended production recipe. |
Signature mismatch |
The expected value parsed successfully, but its bytes differ from the generated digest. | Check line endings, a trailing newline, key encoding, selected hash family, and whether the provider signs a canonical string instead of the raw body. |
Expected parse error |
The expected value could not be decoded as the selected or detected format. | Remove unrelated header text, then choose Hex, Base64, or Base64URL explicitly. |
short test key |
The parsed secret is shorter than the digest byte length for the selected algorithm. | Use a longer random shared secret for new integrations and store it in a managed secret system. |
Check prefix |
The copied prefix does not naturally match the selected algorithm, apart from provider styles such as v1=. |
Compare the provider's header convention with the selected Header prefix and Algorithm. |
Signature Ledger records the generated header, raw digest, algorithm, key encoding, message size, prefix choice, and security posture. Verification Checks focuses on expected-value parsing, key length, message treatment, prefix fit, and secret handling. Algorithm Outputs recomputes the same parsed message and secret across every supported algorithm, which helps when a provider example omits the hash family or labels it incorrectly.
A match should not be overread. It proves reproducibility for the chosen inputs. It does not show that the shared secret has never leaked, that the sender is allowed to perform the requested action, or that the message content is safe to process.
Technical Details:
HMAC is a two-pass keyed hash construction. The secret key is adjusted to the hash function's block size, mixed with an inner pad, hashed with the message, then mixed with an outer pad and hashed again. This structure avoids the weaknesses of simply concatenating a secret with a message and hashing the result.
The important separation is between bytes and text. The message and secret must first become byte arrays. The hash family then produces raw HMAC bytes. Only after that does formatting turn those bytes into lowercase hex, uppercase hex, Base64, or Base64URL text. A prefix such as sha256= is outside the HMAC calculation.
Formula Core
The standard HMAC construction uses an inner hash result as input to an outer hash.
K is the shared secret, m is the exact message byte sequence, H is the selected hash function, and K0 is the key after block-size adjustment. The fixed pad byte patterns are known as ipad and opad. Hex, Base64, Base64URL, and header prefixes are display conventions applied after the HMAC bytes exist.
Transformation Core
| Stage | What changes it | Technical effect |
|---|---|---|
| Message bytes | Message to sign, Message encoding, and selected text treatment. |
UTF-8 text is encoded directly; hex, Base64, and Base64URL values are decoded before signing. Whitespace and line endings are significant unless a selected treatment changes them. |
| Key bytes | Secret key and Key encoding. |
A secret typed as UTF-8 text is not the same byte sequence as the same visible characters decoded from hex, Base64, or Base64URL. |
| Hash family | Algorithm. |
The algorithm determines digest length, provider compatibility, default prefix, and security posture. |
| Displayed digest | Output format. |
Lowercase hex, uppercase hex, Base64, and Base64URL encode the same digest bytes in different text forms. |
| Copied header | Header prefix and optional custom prefix. |
The prefix is prepended after digest generation and is not signed. |
| Expected comparison | Expected signature and Expected format. |
Known header prefixes are stripped, then the remaining text is decoded as hex, Base64, or Base64URL before byte comparison. |
| Algorithm option | Digest bytes | Lowercase hex characters | Practical reading |
|---|---|---|---|
HMAC-SHA-256 |
32 | 64 | Common default for new webhook and API signing workflows when no peer rule says otherwise. |
HMAC-SHA-512 |
64 | 128 | Strong SHA-2 option used when a verifier or policy names SHA-512. |
HMAC-SHA-384 |
48 | 96 | Strong SHA-2 option used when a verifier or policy names SHA-384. |
HMAC-SHA-224 |
28 | 56 | SHA-2 compatibility choice for systems that explicitly require the 224-bit variant. |
HMAC-SHA-1 |
20 | 40 | Legacy compatibility choice for existing systems that still specify SHA-1. |
HMAC-RIPEMD-160 |
20 | 40 | Legacy interoperability choice for RIPEMD-160 examples or older protocol tests. |
HMAC-MD5 |
16 | 32 | Legacy compatibility only. Do not choose it for new security-sensitive signing. |
Expected signatures are safer to compare as decoded bytes than as raw strings. Prefix text such as x-hub-signature-256:, sha256=, ripemd160=, md5=, and version-style prefixes such as v1= can wrap the same digest. After the prefix is removed, the remaining value still needs a valid hex, Base64, or Base64URL shape and a decoded byte length that fits the selected algorithm.
A production verifier should define the signed input unambiguously: raw request body, canonical request string, timestamp plus body, or another documented byte sequence. If that byte sequence is vague, a correct HMAC function can still produce mismatches that look like cryptographic failures but are really input-definition failures.
Privacy and Safety Notes:
The signing calculation runs in the browser session. Secret values are omitted from shared URL state, CSV exports, DOCX exports, JSON downloads, and the signature text artifact, but a browser page is still not a secret-management system.
- Use test secrets for examples, support cases, and webhook troubleshooting whenever possible.
- Keep production shared secrets in a vault, deployment secret store, or server-side verifier.
- Rotate a production HMAC secret if it is pasted into an untrusted page, chat, ticket, screenshot, or recording.
- Remember that HMAC authenticates a message under a shared secret; it does not encrypt the message.
- Watch clipboard history, browser extensions, crash reports, and screen sharing when a real secret is visible.
Worked Examples:
Webhook sample match. For the sample message POST
/api/orders
2026-05-18T10:00:00Z
{"order_id":"A1001","total":135.50} with the secret test-secret-key, HMAC-SHA-256, lowercase hex output, and automatic sha256= prefix, the generated value is sha256=c9db493e614eed02ffa05e3c6d940c111d5807d405525692f095ef51733a1e7a. Pasting that same value into Expected signature changes the summary to Signature match.
Token-style Base64URL output. A canonical string such as GET /v1/invoices date=2026-05-31 can be signed with a Base64URL-encoded test key by setting Key encoding to Base64URL bytes and Output format to Base64URL. The resulting digest omits URL-sensitive + and / characters and drops trailing padding.
Line-ending mismatch. If a provider example fails under Exact text, try Normalize CRLF to LF only when the provider's signing rules support that treatment. A change from Signature mismatch to Signature match is useful evidence for debugging, but production code should not silently normalize signed messages without a documented rule.
Short secret warning. A short secret such as abc with HMAC-SHA-256 still produces a digest, but Verification Checks reports a short test key because 3 parsed key bytes are below the 32-byte SHA-256 digest length. The warning is a setup-quality cue, not a parser failure.
FAQ:
Which algorithm should I choose?
Match the system that will verify the signature. If you are defining a new simple webhook-style signature and have no outside requirement, HMAC-SHA-256 is the broad default.
Why does the digest change when I switch message encoding?
The encoding setting changes the bytes being signed. UTF-8 signs characters as text, while hex, Base64, and Base64URL decode the field into bytes first.
Does uppercase hex make a different HMAC?
No. Uppercase and lowercase hex are different text displays of the same digest bytes. A strict receiver may still require one style for string comparison.
Why does the expected signature fail to parse?
The pasted value may contain unrelated header text, invalid hex, invalid Base64 characters, or a format that auto detection cannot infer. Strip extra text or choose the expected format directly.
Can I use a production webhook secret here?
Use a test secret whenever possible. A production secret belongs in the server-side verifier or a managed secret store. If a live secret is exposed during troubleshooting, rotate it.
Does HMAC encrypt the message?
No. HMAC authenticates the message bytes under a shared secret, but the message remains readable anywhere it is sent or stored.
Glossary:
- HMAC
- A keyed message authentication code built from a cryptographic hash function.
- Signed bytes
- The exact byte sequence authenticated after text encoding, byte decoding, and any selected newline treatment.
- Shared secret
- The key known to both signer and verifier. Possession of this value allows valid HMAC values to be produced.
- Digest
- The raw HMAC output bytes shown as hex, Base64, or Base64URL text.
- Header prefix
- Text such as
sha256=,ripemd160=, orv1=placed before the digest for a provider convention. - Base64URL
- A URL-safe Base64 alphabet that uses
-and_instead of+and/, commonly without trailing padding.
References:
- FIPS 198-1, The Keyed-Hash Message Authentication Code (HMAC), National Institute of Standards and Technology.
- RFC 2104, HMAC: Keyed-Hashing for Message Authentication, Internet Engineering Task Force.
- RFC 4648, The Base16, Base32, and Base64 Data Encodings, Internet Engineering Task Force.
- Secrets Management Cheat Sheet, OWASP Cheat Sheet Series.