HMAC Generator Security Tools
No Network
English
English 日本語 ລາວ Монгол Oʻzbekcha Тоҷикӣ Кыргызча Қазақша Azərbaycan Հայերեն ქართული العربية Български বাংলা čeština Dansk Deutsch Ελληνικά Español Eesti Suomi Français हिन्दी ગુજરાતી ಕನ್ನಡ मराठी മലയാളം Srpski Slovenčina Slovenščina Kiswahili Hrvatski Magyar Indonesia Italiano 한국어 Lietuvių Latviešu Nederlands Norsk Svenska Polski Português Română Русский Українська Беларуская Shqip اردو தமிழ் తెలుగు Türkçe ภาษาไทย Tiếng Việt 简体中文 繁體中文 עברית ខ្មែរ Melayu မြန်မာ ਪੰਜਾਬੀ සිංහල Tagalog नेपाली فارسی

HMAC Generator (HMAC-SHA256 in Browser)

A no-network HMAC SHA256 generation page for fast HMAC calculation and signature verification.

Everything runs locally in your browser. Keys and messages are never transmitted or saved.

Local computation No storage Hex and Base64
No network transmission

How to use (署名 HMAC 作り方)

  1. Enter the key. If your API spec provides binary key bytes, choose Hex or Base64 input format.
  2. Enter the message payload to sign.
  3. Choose output format (Hex / Base64 / Base64URL) and copy the result.
HMAC works on bytes, not visual text. UTF-8 encoding, newline differences, and extra spaces will change the result.

Examples (test vectors)

Example 1 (short check)

Input: Key = secret (UTF-8), Message = message (UTF-8)

HMAC-SHA256 (Hex):
8b5f48702995c1598c573db1e21866a9b825d4a794d169d7060a03605796360b

HMAC-SHA256 (Base64):
i19IcCmVwVmMVz2x4hhmqbgl1KeU0WnXBgoDYFeWNgs=

Example 2 (common phrase)

Input: Key = key, Message = The quick brown fox jumps over the lazy dog

Hex:
f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8

Base64:
97yD9DBThCSxMpjmqm+xQ+9NWaFJRhdZl0edvC0aPNg=

Common pitfalls

  • LF vs CRLF newline differences produce different signatures.
  • Trimming leading/trailing whitespace may break API signature matching.
  • Base64URL often means + to -, / to _, and omitted = padding. Check your API spec.
  • If a key is distributed as Hex/Base64 bytes, treating it as plain text causes mismatches.

FAQ

Is my key stored?

No. This tool computes in your browser and does not send key/message inputs to any server.

Base64 or Hex?

Both are common. You can choose Hex / Base64 / Base64URL output to match your API spec.

What character encoding is used (UTF-8)?

Text input is encoded as UTF-8 before HMAC calculation. For binary values, use Hex/Base64 input.

What is the difference between HMAC and SHA-256 hash?

SHA-256 is a plain hash. HMAC adds a secret key for message authentication.

My output does not match. What should I check?

Check key interpretation (text vs bytes), newline handling, whitespace trimming, and Base64URL rules.

Supplement

What is HMAC?

HMAC is a keyed-hash message authentication code using a secret key and a hash function.

Difference from SHA-256

SHA-256 alone has no secret key. HMAC-SHA256 requires a shared key and is used for signatures.

Typical use cases

API request signing, webhook verification, and token integrity checks.