HMAC Generator Runs entirely in browser
Slovenčina
English 日本語 ລາວ Монгол Oʻzbekcha Тоҷикӣ Кыргызча Қазақша Azərbaycan Հայերեն ქართული العربية Български বাংলা čeština Dansk Deutsch Ελληνικά Español Eesti Suomi Français हिन्दी ગુજરાતી ಕನ್ನಡ मराठी മലയാളം Srpski Slovenčina Slovenščina Kiswahili Hrvatski Magyar Indonesia Italiano 한국어 Lietuvių Latviešu Nederlands Norsk Svenska Polski Português Română Русский Українська Беларуская Shqip اردو தமிழ் తెలుగు Türkçe ภาษาไทย Tiếng Việt 简体中文 繁體中文 עברית ខ្មែរ Melayu မြန်မာ ਪੰਜਾਬੀ සිංහල Tagalog नेपाली فارسی
No Data Sent

HMAC Generator (Calculate HMAC-SHA256 in Browser)

An HMAC calculation tool to generate HMAC SHA256 right here. Keys and inputs are neither sent nor stored.

Supports Text/Hex/Base64 inputs and Hex/Base64 outputs. Securely calculates using the browser's standard Crypto API.

Local Calculation No Storage Hex/Base64 Supported

Input and Output

This page performs calculations entirely within the browser and does not send data.

No Data Sent
Input Format

* The 'byte sequence' as per API specifications is important. If the key is binary, please enter it in Hex/Base64.

Input Format
Output Length: 32 bytes (SHA-256)
Options

Results will change if newline codes differ due to OS or copy-pasting.

Since API signatures assume 'exact match', keeping as is is generally recommended.

Usage

The basic 3 steps for creating an HMAC signature.

  1. 1 Enter Key (Select Hex / Base64 if API spec is binary)
  2. 2 Enter Message (String to sign / payload)
  3. 3 Select Output Format (Hex / Base64) and Copy

HMAC is calculated on 'byte sequences', not 'character strings'. Even if they look the same, results will differ if character encoding, newlines, or extra whitespace differ (assumes UTF-8).

Examples (Test Vectors for Verification)

Click 'Load Example' to populate the input fields.

Example 1
Key (Text/UTF-8)
secret
Message (Text/UTF-8)
message
HMAC-SHA256 (Hex)
8b5f48702995c1598c573db1e21866a9b825d4a794d169d7060a03605796360b
HMAC-SHA256 (Base64)
i19IcCmVwVmMVz2x4hhmqbgl1KeU0WnXBgoDYFeWNgs=
Example 2
Key (Text/UTF-8)
key
Message (Text/UTF-8)
The quick brown fox jumps over the lazy dog
HMAC-SHA256 (Hex)
f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8
HMAC-SHA256 (Base64)
97yD9DBThCSxMpjmqm+xQ+9NWaFJRhdZl0edvC0aPNg=

Common Pitfalls

Newline Code Differences (LF/CRLF)

Results change if newline handling varies.

Trimming (Removing Whitespace)

Since signatures assume exact matches, removing whitespace may cause mismatches.

Base64URL Notation

Base64URL typically uses +→-, /→_, and omits =. Please check the specifications.

Key Handling (Text vs Binary)

Example: Entering 'deadbeef' as a 'string' vs entering it as 'byte sequence 0xDE 0xAD...'.

Supplementary Information

What is HMAC?

A mechanism to create a signature from a secret key and a message. A third party cannot create the same result without the same key.

Difference from SHA-256

SHA-256 is a 'hash', HMAC is a 'keyed hash (signature)'.

Use Cases

Used for API signatures, Webhook verification, request tampering detection, etc.

FAQ

Is the key stored?

It is not stored. This tool calculates within the browser and does not send keys or messages to a server. (※As a precaution, please reset after inputting on a shared PC)

Base64 or Hex?

Both are used. You can select the output format (Hex / Base64 / Base64URL). Please choose according to the API specifications.

Character Encoding?

Assumes UTF-8. Text input is converted to bytes as UTF-8 for calculation. Use Hex / Base64 input for handling binary.

Difference between HMAC and SHA-256 hash?

SHA-256 is a 'hash', HMAC is a 'keyed hash (signature)'. The same result cannot be produced unless the keys match.

The output doesn't match

Common causes are (1) Key handling (Text vs Binary), (2) Newlines, (3) Whitespace, (4) Base64URL. Please check the pitfalls above in order.