🔐 HMAC Generator

// HMAC-SHA256 · HMAC-SHA384 · HMAC-SHA512 via Web Crypto API

Your secret key and message never leave your browser. All signing runs via the native Web Crypto API.

Algorithm

Output

Secret key

Message

0 bytes

HMAC-SHA256 signature

Enter a secret and message to generate the HMAC signature

Algorithm: — Output length: — Format: —

Paste signature to verify

Algorithm reference

Algorithm	Output size	Hex chars	Min key length	Common use
HMAC-SHA256	256 bits / 32 bytes	64	32 bytes recommended	JWT (HS256), API request signing, webhook verification
HMAC-SHA384	384 bits / 48 bytes	96	48 bytes recommended	JWT (HS384), higher-assurance API signing
HMAC-SHA512	512 bits / 64 bytes	128	64 bytes recommended	JWT (HS512), high-security message authentication

⚠
HMAC is a symmetric primitive The same secret is used to both sign and verify. Anyone with the secret can forge signatures. For public APIs where verifiers should not be able to sign, use an asymmetric algorithm (RS256, ES256) instead.
i
Key length matters The HMAC key should be at least as long as the hash output (32 bytes for SHA-256). Shorter keys reduce security. Use a cryptographically random key — never a human-memorable password directly.
✓
Timing-safe comparison for verification In production code, always compare HMAC signatures using a constant-time comparison function to prevent timing attacks. This tool uses crypto.subtle.verify() which is timing-safe.