HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a secret key with a message to produce a unique authentication code. It's used to verify both the integrity and authenticity of data by proving the message hasn't been altered and came from the expected source. HMACs are essential in API security, webhook verification, and authentication protocols.

How do I use the HMAC Generator?

Enter the text or message you want to hashInput your secret key (keep this private)Choose your algorithm: SHA-1, SHA-256, SHA-384, or SHA-512 (SHA-256 is recommended for most uses)Select your output format: Hexadecimal or Base64Click Generate and copy your HMAC resultThe tool processes everything in your browser for maximum security.

Which SHA algorithm should I use?

SHA-256 is the best choice for most modern applications and offers excellent security. Use SHA-512 if you need maximum security for highly sensitive data. SHA-1 is only recommended for legacy systems; avoid it for new projects. SHA-384 is rarely needed but available if your specific system requires it.

Is the HMAC Generator free?

Yes, this tool is completely free to use at tools.bkns.vn. All HMAC generation happens securely on your device with no registration, limits, or hidden fees.

Yes, complete privacy is guaranteed. This tool uses your browser's Web Crypto API for all computations, meaning your messages and secret keys are processed entirely on your device and never sent to any server. No data is stored, logged, or transmitted anywhere.

HMAC Generator - Free online tool

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to create a unique fingerprint of your message. This tool leverages your browser's native Web Crypto API to perform all computations client-side, making it both fast and secure.

Simply enter your text message and secret key, select your preferred hashing algorithm (SHA-1, SHA-256, SHA-384, or SHA-512), and the tool instantly generates the corresponding HMAC. The algorithm mixes your key with the message through two rounds of hashing, producing a tamper-proof authentication code that proves message integrity and authenticity.

You can export the result in hexadecimal or base64 encoding, making it compatible with any API, webhook, or authentication system. The base64 format is particularly useful for JSON payloads and HTTP headers, while hex is standard for most cryptographic applications.

API Authentication: Sign API requests with HMAC to verify that requests come from trusted clients and haven't been modified in transit
Webhook Verification: Validate incoming webhooks from services like Stripe, GitHub, or Slack by comparing their HMAC signatures with your secret key
Message Integrity: Ensure data hasn't been tampered with by verifying HMAC signatures of files, documents, or transmitted messages
OAuth & Token Generation: Create secure authentication tokens and signatures for OAuth implementations and secure communication protocols
Database Security: Verify data integrity in databases by storing HMAC values alongside sensitive records and checking them periodically

HMAC Generator

How It Works

Common Use Cases

Frequently Asked Questions