Aaron Graves, PhDude (Replica)

Empowering people to reach their full potential

hmac calculator

Posted on February 16, 2026 by Admin

Online HMAC Calculator

Generate an HMAC signature for any message using SHA-1, SHA-256, SHA-384, or SHA-512. Useful for API request signing, webhook verification, and message authentication testing.

Tip: Use exactly the same encoding, algorithm, and raw bytes as your server implementation.

What is an HMAC?

HMAC stands for Hash-based Message Authentication Code. It combines a secret key with a message, then hashes the result to produce a signature. That signature lets you verify two things: the message was not changed, and it came from someone who knows the secret key.

Unlike plain hashing, HMAC is keyed. A regular hash like SHA-256 can prove data consistency, but it cannot prove who created the hash. HMAC solves that by introducing a shared secret.

How to use this HMAC calculator

  • Enter your message in the Message field.
  • Choose the message encoding: Text, Hex, or Base64.
  • Enter your secret in Secret Key.
  • Select key encoding (Text/Hex/Base64).
  • Pick algorithm (HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512).
  • Click Generate HMAC to compute the signature.

If your result does not match another system, the mismatch is usually encoding-related: whitespace, UTF-8 handling, newline characters, or incorrect hex/base64 parsing.

Where HMAC is commonly used

1) API request signing

Many REST APIs require clients to sign a canonical request string with HMAC-SHA256. The server recomputes the signature and compares it to what you sent.

2) Webhook verification

Payment and messaging platforms often attach an HMAC header so you can confirm webhook payload authenticity. Always verify with the raw request body before parsing JSON.

3) Signed links and tokens

HMAC can protect one-time URLs, temporary download links, and action tokens from tampering.

HMAC vs Hashing vs Encryption

  • Hashing: One-way fingerprint of data. No secret required.
  • HMAC: Hash + secret key. Proves authenticity and integrity.
  • Encryption: Protects confidentiality by making data unreadable without a key.

These tools solve different problems. HMAC does not hide message contents; it validates trust and integrity.

Common causes of signature mismatch

Encoding mismatch

Text vs hex vs base64 differences are the most frequent source of errors. Even a single byte mismatch changes the whole HMAC output.

Different canonical strings

APIs often require precise formatting for signed content (path, query order, headers, timestamp). Small formatting differences break verification.

Wrong algorithm

HMAC-SHA1 and HMAC-SHA256 produce completely different results. Confirm your provider’s exact algorithm requirement.

Unexpected whitespace/newlines

Trailing spaces and newline characters count as bytes. Use the exact payload that was signed.

Security best practices

  • Use strong random secrets and rotate them periodically.
  • Prefer HMAC-SHA256 or stronger for new systems.
  • Compare signatures in constant time on the server to reduce timing leak risk.
  • Never expose production secrets in frontend code.
  • For webhook verification, sign/verify the raw body exactly as received.

Quick testing tip

Click Load Example to populate sample values. This is handy for validating your local implementation and checking if your own backend produces the same HMAC output.

🔗 Related Calculators