Skip to content
πŸ› οΈToolsShed

HMAC Generator

Generate HMAC signatures from message and secret key using SHA-256/384/512.

About this tool

HMAC (Hash-based Message Authentication Code) is a cryptographic technique used to verify the integrity and authenticity of data in transit or at rest. By combining a secret key with a message, HMAC produces a unique signature that proves the data hasn't been altered and that only someone with the secret key could have created it. This makes it essential for securing APIs, validating webhooks, signing credentials, and protecting sensitive communications across the internet.

To use this tool, enter your message in the text field and provide a secret key that you share with the recipient. Choose the hash algorithm (SHA-256, SHA-384, or SHA-512) based on your security requirements, then click "Generate HMAC" to produce the signature. The resulting hash can be sent alongside your data so the recipient can verify authenticity by generating the same HMAC with their copy of the secret key.

HMAC is widely used by payment processors, cloud APIs (AWS, Google Cloud, Stripe), and real-time communication systems to prevent tampering and confirm message origin. The SHA-256 variant provides strong security for most use cases, while SHA-384 and SHA-512 offer additional security margin for highly sensitive applications. Remember that the security of HMAC depends entirely on keeping your secret key privateβ€”never share it over insecure channels.

Frequently Asked Questions

Code Implementation

import hmac
import hashlib
import base64
import secrets

# Generate HMAC-SHA256
key = secrets.token_bytes(32)   # 256-bit random key
message = "Hello, World!"

# Raw hex output
mac = hmac.new(key, message.encode(), hashlib.sha256)
print("HMAC-SHA256 (hex):", mac.hexdigest())

# Base64 output (common for API signatures)
mac_b64 = base64.b64encode(mac.digest()).decode()
print("HMAC-SHA256 (b64):", mac_b64)

# HMAC-SHA512
mac512 = hmac.new(key, message.encode(), hashlib.sha512)
print("HMAC-SHA512 (hex):", mac512.hexdigest())

# Constant-time verification (prevents timing attacks)
def verify_hmac(key: bytes, message: str, expected: str) -> bool:
    computed = hmac.new(key, message.encode(), hashlib.sha256).hexdigest()
    return hmac.compare_digest(computed, expected)

signature = mac.hexdigest()
print("Valid:  ", verify_hmac(key, message, signature))   # True
print("Invalid:", verify_hmac(key, "tampered", signature)) # False

Comments & Feedback

Comments are powered by Giscus. Sign in with GitHub to leave a comment.