DiffCheck

HMAC Generator

Generate HMAC signatures using SHA-256, SHA-512, and other algorithms. Output in hex or base64.

Message
Secret Key

What Is an HMAC Generator?

An HMAC generator computes a Hash-based Message Authentication Code — a cryptographic signature that proves a message was created by someone who holds a specific secret key and that the message has not been tampered with. This tool supports HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512, with output in either hexadecimal or base64 encoding. It uses the browser's built-in Web Crypto API, so your message and secret key never leave your device.

How to Use the HMAC Generator

  1. Enter the message you want to sign in the Message field.
  2. Enter your secret key in the Secret Key field. Use the eye icon to toggle visibility.
  3. Select the hash algorithm (SHA-256 is recommended for most use cases).
  4. Choose the output encoding: hex or base64.
  5. Click Generate HMAC. Copy the result with the Copy button.

Features

  • Supports HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
  • Output in hex or base64 encoding
  • Show/hide secret key toggle
  • One-click copy to clipboard
  • Powered by the Web Crypto API — runs entirely in your browser
  • No data is sent to any server

FAQ

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message. It combines a cryptographic hash function (such as SHA-256) with a secret key. Only parties who know the secret key can produce or verify the correct HMAC for a given message.

Which HMAC algorithm should I use?

HMAC-SHA256 is the most widely used and is recommended for most applications. HMAC-SHA512 provides a larger output and is preferred in high-security contexts. HMAC-SHA1 is still used in legacy systems (e.g., OAuth 1.0) but SHA-256 or higher is preferred for new implementations.

What is the difference between hex and base64 output?

Both hex and base64 are encodings of the same binary HMAC value. Hex uses 0–9 and a–f characters and is easier to read. Base64 uses A–Z, a–z, 0–9, +, and / and produces a shorter string. Choose the format expected by the system you are integrating with.

Is my secret key safe?

Yes. All computation happens in your browser using the Web Crypto API. Your message and secret key are never sent to any server.