HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to provide both integrity and authentication for a message. If the HMAC verifies, you know the message has not been modified and that it was created by someone who knows the shared secret key.

Which HMAC algorithms should I use?

For modern systems, HMAC-SHA-256 or HMAC-SHA-512 are generally recommended. Legacy hashes such as MD5, MD4, MD2 or SHA-1 are kept mainly for interoperability and testing and should be avoided in new designs.

Are my keys or messages uploaded to the server?

This HMAC generator is designed so that computation happens on the server but keys are not stored or logged on disk. You should still avoid using production secrets from untrusted or shared environments.

How strong should my HMAC key be?

Your HMAC key should be at least as strong as the hash output. For HMAC-SHA-256, a randomly generated 128-256 bit key (16-32 bytes) is sufficient. Avoid short, guessable keys; use a cryptographic random generator instead.

HMAC Generator

Keyed Hash Integrity + Auth API Signing

Anish Nath

OpenSSL Commands

Generate HMAC-SHA-256 from command line:

echo -n "message" | openssl dgst -sha256 -hmac "secret-key"

Using a key file:

openssl dgst -sha256 -hmac "$(cat keyfile)" -binary message.txt | base64

HMAC Results

HMAC Results Will Appear Here

Enter a message, secret key, select algorithms, then click Compute HMAC

Algorithm Guide

Algorithm	Output Size	Status
HMAC-SHA-256	256 bits (32 bytes)	Recommended
HMAC-SHA-512	512 bits (64 bytes)	Recommended
HMAC-SHA-1	160 bits (20 bytes)	Legacy
HMAC-MD5	128 bits (16 bytes)	Weak
HMAC-RIPEMD-160	160 bits (20 bytes)	Niche

Understanding HMAC

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a construction that combines a cryptographic hash function with a secret key. It provides two properties:

Integrity: Confirms the message hasn't been modified
Authentication: Proves the sender knows the shared secret

The HMAC formula: HMAC(K, m) = H((K ⊕ opad) || H((K ⊕ ipad) || m))

Why Use HMAC Instead of Plain Hash?

A plain hash like SHA-256(message) only detects accidental changes. Anyone can recompute it. HMAC adds a secret key so only authorized parties can generate or verify the MAC.

Common Use Cases

API Request Signing: AWS Signature V4, Stripe webhooks
JWT Tokens: HS256 algorithm uses HMAC-SHA-256
Webhook Verification: GitHub, Slack webhook signatures
Key Derivation: HKDF uses HMAC internally
VPN/IPsec: Integrity protection in network protocols

Key Strength Recommendations

HMAC-SHA-256: Use 256-bit (32 byte) keys
HMAC-SHA-512: Use 512-bit (64 byte) keys
Minimum: 128-bit (16 byte) random key
Always use cryptographic random generator

Code Examples

Python

import hmac
import hashlib

key = b'secret-key'
message = b'Hello, World!'
signature = hmac.new(key, message, hashlib.sha256).hexdigest()
print(signature)

Node.js

const crypto = require('crypto');

const key = 'secret-key';
const message = 'Hello, World!';
const hmac = crypto.createHmac('sha256', key)
                   .update(message).digest('hex');
console.log(hmac);

Security Standards & References

Related Tools

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users

200+ tools

100% private

☕ One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 Stay updated Follow @anish2good

Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.

HMAC Generator

Generate HMAC

OpenSSL Commands

HMAC Results

HMAC Results Will Appear Here

Algorithm Guide

Understanding HMAC

What is HMAC?

Why Use HMAC Instead of Plain Hash?

Common Use Cases

Key Strength Recommendations

Code Examples

Security Standards & References

Related Tools

Hash Generator

BCrypt

Scrypt

Argon2

JWT Decoder

Encryption

Support This Free Tool

Quick Access

PGP Tools

Sharing Services

Security Tools

Cryptography

Network Tools

Legal & Compliance

DevOps/Container

Blockchain

Encoders/Converters

Developer Tools

Machine Learning Visualizers

Media Tools

Documents & PDF

Finance

Health

Lifestyle & Productivity

Chemistry

Math & Education

Physics Tools

Internationalization