What this tool is good for
HMAC stands for Keyed-Hash Message Authentication Code. It combines a secret key with a hash function so the receiver can verify both message integrity and possession of the shared secret.
This tool lets you compute HMAC values with MD5, SHA1, SHA224, SHA256, SHA384, SHA512, SHA3, and RIPEMD160 for API signing, webhook debugging, and compatibility checks.
How to use it
- Enter the message you want to sign.
- Choose the HMAC algorithm expected by the target system.
- Provide the shared secret key.
- Copy the generated HMAC value after checking the required case format.
Practical notes
- Changing even one character in the input or key produces a different HMAC.
- HMAC is not the same as a plain hash because the secret key is part of the calculation.
- When debugging signatures, make sure line breaks, whitespace, and field order match the upstream system exactly.
FAQ
What is an HMAC used for?
An HMAC is used to verify that a message came from someone with the shared secret key and that the message was not changed. It is common in API signatures and webhook verification.
How is HMAC different from a normal hash?
A normal hash is unkeyed and only produces a digest of the input. HMAC combines the message with a secret key, which makes it suitable for authentication and tamper checks.
Which HMAC algorithm should I choose?
HMAC-SHA256 is a common default for API signing. Use the algorithm required by the service you are integrating with, and keep the secret key private.
Related tools
- Hash Generator:Generate MD5, SHA, SHA-3, and RIPEMD160 hashes