HMAC Signature Generator/Verifier

Generate and verify HMAC-SHA256, SHA-384, and SHA-512 signatures with Hex or Base64 output. All computation happens locally in your browser — your secret key and payload never leave your device.

This tool is crafted by Authgear
Support and star us on

Your data security is our top priority. All signature generation and verification happen entirely in your browser. This tool does not store or transmit your payloads, secrets, or signatures outside of the browser. See source code in: https://github.com/authgear/authgear-widget-hmac-tool

More Developer Tools

JWT & JWE Debugger
JWK Generator
HMAC Tool
SAML Testing Tool
TOTP Authenticator
Password Hash Generator
Base64 Decode and Encode
UUID v7 Generator & Timestamp Extractor
Passkey Demo & WebAuthn Tester

How the HMAC Signature Generator Works

Step 1.
Enter Payload:
Input the exact message or payload content you want to sign or verify.
Step 2.
Provide Webhook Secret:
Insert the shared secret key used for HMAC generation, typically known only to you and your webhook provider.
Step 3.
Select HMAC Algorithm:
Pick from HS256, HS384, or HS512 according to your application's configuration.
Step 4.
Generate Signature:
Click to compute the HMAC signature for your payload and secret using the selected algorithm.
Step 5.
Paste Received Signature to Verify:
Paste the signature you received from an external system/webhook to compare against your own generated signature.

Supported Algorithms

Compute HMAC signatures with any of these hash algorithms, output as Hex or Base64. Useful for webhook signature verification, API request signing, and data integrity checks.

HS256
HMAC + SHA-256
HS384
HMAC + SHA-384
HS512
HMAC + SHA-512

What is HMAC?

HMAC (Hash-Based Message Authentication Code) is a mechanism that uses a cryptographic hash function and a secret key to produce a signature for a message or payload. This signature provides both data integrity and authentication, ensuring that the message has not been tampered with and is genuinely from the claimed sender.

Why HMAC?

Verifies authenticity of messages, especially in webhook or API callbacks
Prevents tampering or replay attacks by ensuring message integrity
Simple and widely-used cryptographic technique supported by most platforms

Best Practices

Keep your webhook secret confidential and avoid sharing it publicly.
Always verify incoming webhook signatures before processing payloads.
Prefer SHA-256 or stronger; avoid MD5- and SHA-1-based HMACs in new systems.