often.cloud
← all tools

HMAC generator

Hashing

Sign a message with HMAC-SHA-1/256/384/512. Output as hex or base64.

What this tool helps with

HMAC proves a message came from someone holding a shared secret and was not altered, by combining the secret with the message under a hash like SHA-256. It is what signs webhook payloads (Stripe, GitHub) and API requests. This tool computes HMAC-SHA-1/256/384/512 with SubtleCrypto and outputs hex or Base64 so you can reproduce or verify a signature locally — the secret never leaves your browser, which is the whole point of pasting it here rather than a logged service.

How to use HMAC generator

  1. Open the HMAC generator page and paste, type, or generate the hmac input you want to work with.
  2. Pick the options you need so the tool can sign a message with HMAC-SHA-1/256/384/512. Output as hex or base64
  3. Copy the sign result with one click and use it in your next step — terminal, editor, ticket, or anywhere else you need it.

Common uses

  • Reach for HMAC generator when you need to sign a message with HMAC-SHA-1/256/384/512. Output as hex or base64 during debugging, code review, or content preparation.
  • Skip installing a desktop hmac app — open this hashing utility on a shared machine, an iPad, or a colleague's laptop and it just works.
  • Bookmark or share the page when you and your team keep coming back to the same hmac, sign, sha, and mac workflow.

FAQ

HMAC vs a plain hash of secret+message — what's the difference?

Naively hashing secret‖message is vulnerable to length-extension attacks on some hash constructions. HMAC's nested keyed construction is specifically designed to resist that, which is why standards mandate HMAC rather than ad-hoc concatenation.

Why doesn't my signature match the webhook's?

Usual causes: signing a re-serialized body instead of the exact raw bytes received, a hex/Base64 output mismatch, or the wrong algorithm. Sign the raw request body verbatim with the documented hash.

Hex or Base64 output?

Whichever the verifying side expects. They encode the same bytes; comparing across encodings will always fail. Check the provider's docs for which they send.

Related tools

Cryptographic digests of text.
Hash (SHA)Compute SHA-1, SHA-256, SHA-384, or SHA-512 digests.Encryption (AES-GCM)Password-encrypt text with AES-256-GCM + PBKDF2. Symmetric, in your browser.TOTP codeCompute a Google-Authenticator-compatible TOTP code from a Base32 secret.