ToolHarbor
Developer Tools

HMAC Generator

Generate deterministic HMAC-style hashes from key and message.

Use the tool

Use HMAC Generator to calculate keyed hashes for API signing, webhook verification, and test payload debugging.

Dev Workbench

HMAC Generator

Generate deterministic HMAC-style hashes from key and message.

Input

Result

Run the tool to see output.
Lines: 0Chars: 0

Why use HMAC Generator

  • Generate HMAC-SHA256 or HMAC-SHA512 signatures for API request signing tests.
  • Compare webhook signatures while debugging payload, key, and encoding mismatches.
  • Create expected signatures for unit tests, docs, and integration examples.
  • Explain the difference between a plain hash and a keyed message authentication code.

About this tool

HMAC signatures for API debugging

HMAC Generator combines a secret key with a message and hash algorithm to produce a keyed signature. This is useful when testing webhooks, API auth, and signed payloads.

Payload and key encoding matter

Most HMAC mismatches come from small differences in raw payload bytes, line endings, character encoding, JSON spacing, timestamp strings, or whether the key is plain text, hex, or Base64.

Protect real secrets

HMAC depends on the secrecy of the key. Use test keys in browser tools whenever possible and avoid pasting production signing secrets into shared environments.

Example usage

Input

Key: test-secret\nMessage: {"event":"paid"}\nAlgorithm: HMAC-SHA256

Output

Deterministic HMAC-SHA256 signature for the exact key and message bytes.

Practical guide for HMAC Generator

Best practices

  • Use test keys and sample payloads whenever possible.
  • Match the provider's exact payload bytes, algorithm, and output encoding.
  • Compare signatures using constant-time comparison in production code.

Common mistakes

  • Hashing the message without the secret key and calling it HMAC.
  • Changing JSON whitespace or line endings before generating a signature.
  • Confusing hex, Base64, and plain-text key formats.

How this tool works

  1. Step 1

    Open HMAC Generator and review the default example input.

  2. Step 2

    Paste your own input or upload source data when required.

  3. Step 3

    Run HMAC Generator to generate output instantly in the browser.

  4. Step 4

    Verify the output using the preview and formatting helpers on the page.

  5. Step 5

    Copy the final result and continue with a related tool if needed.

Use related links to continue your workflow and keep your output consistent across ToolHarbor pages.

JSON FormatterFormat JSON with readable indentation.UUID GeneratorGenerate UUID v4 values instantly.Hash GeneratorGenerate MD5, SHA1, or SHA256 hashes from text.JWT GeneratorGenerate unsigned JWT tokens from header and payload JSON.Checksum GeneratorGenerate file and text checksums for quick integrity checks.

Continue exploring

Previous: JWT GeneratorNext: Checksum GeneratorMore in Developer ToolsBrowse all tools

Popular workflows

JSON FormatterMerge PDFCrop Image OnlineTrim VideoCompress VideoMP4 to GIF

FAQ

What is HMAC used for?

HMAC is used to verify message authenticity and integrity when both sides share a secret key, such as webhook and API signing workflows.

How is HMAC different from a regular hash?

A regular hash uses only the message. HMAC uses both the message and a secret key, making it suitable for authenticity checks.

Why does my HMAC not match?

Check payload bytes, JSON formatting, line endings, timestamp text, key encoding, algorithm choice, and output encoding.

Should I use production secrets here?

Prefer test secrets. If you must inspect sensitive data, follow your team's security policy and avoid sharing output publicly.