What is HMAC used for?

HMAC binds a message to a shared secret key so the receiver can verify both integrity and authenticity. It is widely used to sign API requests, verify webhook payloads (Stripe, GitHub, Slack) and protect tokens.

How is HMAC different from a plain hash?

A plain hash like SHA-256 can be computed by anyone, so it only proves integrity. HMAC mixes in a secret key, so only parties who know the key can produce or verify the same value.

Which algorithm should I choose?

Match what the receiving service expects. HMAC-SHA-256 is the default for Stripe, GitHub, Slack and most APIs. SHA-384 and SHA-512 produce longer codes for higher security margins but are less common.

How long is each HMAC output?

The hex output length equals the hash size: HMAC-SHA-256 is 64 hex characters (256 bits), SHA-384 is 96 characters (384 bits), and SHA-512 is 128 characters (512 bits).

How do I verify a webhook signature with this?

Paste the platform secret as the key and the exact raw request body as the message, then compare the generated hex against the signature header the platform sent. They must match byte-for-byte.

Does the key or message encoding matter?

Yes. This tool treats both as UTF-8 text. If your API specifies a different encoding (for example a base64 or hex-decoded secret) the result will not match — encode the inputs to UTF-8 text first.

Is my secret key uploaded anywhere?

No. The key and message never leave your browser — the HMAC is computed locally with the Web Crypto API.

HMAC Generator — Gera Tools

HMAC generator — SHA-256, SHA-384 and SHA-512

A HMAC (Hash-based Message Authentication Code, RFC 2104) combines a secret key with your message to produce a keyed hash. Anyone who knows the key can recompute the same value, which proves the message was not tampered with and came from someone holding the key. It is the standard way to sign API requests and verify webhook payloads.

How it works

The tool uses the browser’s Web Crypto API. It UTF-8 encodes your secret key and imports it as an HMAC key bound to the chosen hash (SHA-256, SHA-384 or SHA-512), UTF-8 encodes your message, then calls crypto.subtle.sign to produce the authentication code. The resulting bytes are rendered as a lowercase hex string. Internally HMAC hashes the key combined with the message twice with inner and outer padding, which is what makes it resistant to length-extension attacks that affect a naive key-plus-message hash. The output updates live as you type.

Example

With key topsecret and message hello, HMAC-SHA-256 produces a fixed 64-character hex string. Re-running with the same inputs always gives the same value; changing a single character of either input changes the entire output.

Algorithm	Output bits	Hex length
HMAC-SHA-256	256	64
HMAC-SHA-384	384	96
HMAC-SHA-512	512	128

Everything runs locally in your browser via the Web Crypto API — your key and payload are never sent over the network.