HMAC Generator

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a message authentication code. Unlike a simple hash which anyone can compute from the same input, an HMAC requires knowledge of the secret key — only parties that share the secret can produce and verify the correct HMAC for a given message. This makes HMAC ideal for verifying both data integrity (the message hasn't been tampered with) and authenticity (the message came from someone who knows the secret). The HMAC algorithm works by combining the key with the message in a specific way before hashing, using two rounds of hashing with inner and outer padding derived from the key. Common HMAC variants include HMAC-SHA256 (most widely used), HMAC-SHA512 (higher security margin), and HMAC-MD5 (legacy, not recommended). The AllTools HMAC Generator computes HMACs using the Web Crypto API's SubtleCrypto.sign() method — the same cryptographic implementation browsers use for HTTPS and other security features. Your messages and secret keys are processed entirely in the browser — critical since these are by definition sensitive security values.

HMAC authentication is used throughout modern API and webhook security. Webhook verification is the most common application — services like Stripe, GitHub, Shopify, and Twilio sign webhook payloads with HMAC-SHA256 using a shared secret. The receiving server computes the HMAC of the received payload using the same secret and compares it to the signature in the request header, verifying that the webhook genuinely came from the expected service and hasn't been tampered with. API request signing uses HMAC to authenticate API calls — AWS Signature Version 4 uses HMAC-SHA256 to sign every API request, proving the caller's identity without sending the secret key over the network. OAuth 1.0 uses HMAC-SHA1 for request signing. Message queuing systems use HMAC to verify message authenticity between producers and consumers. The AllTools HMAC Generator helps developers debug authentication issues — generate the expected HMAC for a test payload, compare it to what your code produces, and identify discrepancies in key encoding, payload formatting, or algorithm selection. Common HMAC debugging issues include: hex vs Base64 encoding of the key, trailing newlines in the payload, and incorrect character encoding of non-ASCII content.