JSON pretty-print changes signed payload bytes
Bad input: Receiver recomputes HMAC on reformatted JSON body.
Failure: Valid requests are rejected due to signature mismatch.
Fix: Sign and verify exact raw bytes, not reconstructed objects.
HMAC Generator
Generate HMAC-SHA1, SHA256, SHA512 online
Security & Auth
π 100% client-side β your data never leaves this pageMaintained by ToolsKit Editorial Teamβ’Updated: March 5, 2026β’Reviewed: March 5, 2026
Page mode
Input
Quick CTA
Paste the message and secret first, then generate the HMAC; algorithm comparisons and edge cases stay in Deep.
Algorithms
π 100% client-side Β· Web Crypto API
Output
Enter a message and secret key to generate HMAC
Next step workflow
Page reading mode
Deep expands pitfalls, recipes, snippets, FAQ, and related tools when you need troubleshooting or deeper follow-through.
About this tool
Generate HMAC (Hash-based Message Authentication Code) values instantly in your browser. Supports HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512 algorithms. Enter your message and secret key to compute secure authentication hashes using the Web Crypto API. No data is transmitted β everything runs 100% client-side.
Compare & Decision
Hash vs HMAC
Hash
Use it for non-secret checksums and general fingerprinting.
HMAC
Use it for signed payload verification where a shared secret is required.
Note: If trust depends on a secret, plain hashing is not enough.
Shared-secret HMAC vs asymmetric signatures
HMAC
Use it for server-to-server integrations where both sides can securely store one shared secret.
RSA/ECDSA signatures
Use it when key distribution, third-party verification, or non-repudiation requirements are stronger.
Note: HMAC is simple and fast; asymmetric signatures scale better across multiple verifiers.
Fast pass vs controlled workflow
Fast pass
Use for low-impact exploration and quick local checks.
Controlled workflow
Use for production delivery, audit trails, or cross-team handoff.
Note: Hmac Generator is more reliable when acceptance criteria are explicit before release.
Direct execution vs staged validation
Direct execution
Use for disposable experiments and temporary diagnostics.
Stage + verify
Use when outputs will be reused by downstream systems.
Note: Staged validation reduces silent compatibility regressions.
Failure Input Library
Input assumptions are not normalized
Bad input: Edge payloads omit required fields.
Failure: Output appears valid locally but fails during downstream consumption.
Fix: Normalize contracts and enforce preflight checks before export.
Compatibility boundaries are implicit
Bad input: One-step execution bypasses review checkpoints.
Failure: Same source data yields inconsistent outcomes across environments.
Fix: Declare compatibility constraints and verify with an independent consumer.
Direct Answers
Q01
How is HMAC different from a normal hash?
HMAC combines the payload with a shared secret, so it proves both integrity and secret possession rather than just content fingerprinting.
Q02
Why do HMAC signatures break even when the payload looks identical?
Whitespace, line endings, timestamps, ordering, and encoding differences can all change the signed byte stream.
Quick Decision Matrix
Need stable HMAC verification for external callbacks
Recommend: Use raw-byte canonicalization and strict algorithm agreement.
Avoid: Avoid verifying on parsed-and-reserialized payloads.
Local exploration and temporary diagnostics
Recommend: Use fast pass with lightweight verification.
Avoid: Avoid promoting exploratory output directly to production artifacts.
Production release, compliance, or cross-team handoff
Recommend: Use staged workflow with explicit validation records.
Avoid: Avoid one-step execution without replayable evidence.
Failure Clinic (Common Pitfalls)
Signing normalized text instead of the raw payload
Cause: A pretty-printed JSON body is not the same byte stream the sender may have signed.
Fix: Sign the exact raw bytes or canonical form defined by the integration contract.
Forgetting timestamp or prefix rules
Cause: Many webhook systems sign `timestamp.payload` rather than the payload alone.
Fix: Replicate the exact signing template before concluding the secret is wrong.
Signing pretty-printed JSON instead of the original raw body
Cause: Whitespace changes alter bytes, so signatures no longer match provider-generated values.
Fix: Always sign the raw payload bytes exactly as received before any parsing or formatting.
Scenario Recipes
01
Reproduce a webhook signature mismatch
Goal: Generate the exact HMAC for the payload you captured before changing webhook or gateway code.
- Paste the raw body exactly as it was signed, including line endings.
- Use the same secret, algorithm, and timestamp rules as the sender.
- Compare your generated HMAC with the received signature header.
Result: You can isolate whether the mismatch comes from payload drift, secret drift, or canonicalization drift.
02
Replay webhook signature verification in staging
Goal: Reproduce a failing webhook signature by hashing the exact timestamp + raw payload format.
- Copy the raw request body bytes and timestamp header from webhook logs.
- Use the same secret and algorithm configured in production.
- Generate the HMAC and compare it with the provider signature header.
Result: You can pinpoint whether failures come from payload canonicalization, key mismatch, or clock skew.
03
Webhook signature verification setup
Goal: Align sender and receiver signing behavior across environments.
- Lock message canonicalization rules including newline handling.
- Verify algorithm, secret encoding, and output format expectations.
- Test replay and tampering cases with captured payload samples.
Result: Webhook authentication failures are reduced in production.
04
Hmac Generator readiness pass for cross-team handoff validation
Goal: Validate assumptions before output enters shared workflows.
- Run representative samples and capture output structure.
- Replay edge cases with downstream acceptance criteria.
- Publish only after sample and edge-case checks both pass.
Result: Delivery quality improves with less rollback and rework.
05
Hmac Generator incident replay for legacy contract stabilization
Goal: Convert recurring failures into repeatable diagnostics.
- Rebuild problematic inputs in an isolated environment.
- Compare expected and actual outputs against explicit pass criteria.
- Document reusable runbook steps for on-call and handoff.
Result: Recovery time drops and operational variance shrinks.
Production Snippets
Webhook signing base string
text
1700000000.{"event":"user.created","id":"evt_123"}Suggested Workflow
Practical Notes
HMAC Generator works best when you apply it with clear input assumptions and a repeatable workflow.
Practical usage
Use this tool as part of a repeatable debugging workflow instead of one-off trial and error.
Capture one reproducible input and expected output so teammates can verify behavior quickly.
Engineering tips
Keep tool output in PR comments or issue templates to shorten communication loops.
When behavior changes after deployment, compare old and new outputs with the same fixture data.
Use It In Practice
HMAC Generator is most reliable with real inputs and scenario-driven decisions, especially around "Need stable HMAC verification for external callbacks".
Use Cases
- When Need stable HMAC verification for external callbacks, prioritize Use raw-byte canonicalization and strict algorithm agreement..
- When Local exploration and temporary diagnostics, prioritize Use fast pass with lightweight verification..
- Compare Hash vs HMAC for Hash vs HMAC before implementation.
Quick Steps
- Paste the raw body exactly as it was signed, including line endings.
- Use the same secret, algorithm, and timestamp rules as the sender.
- Compare your generated HMAC with the received signature header.
Avoid Common Mistakes
- Common failure: Valid requests are rejected due to signature mismatch.
- Common failure: Output appears valid locally but fails during downstream consumption.
Frequently Asked Questions
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both data integrity and authenticity using a secret key combined with a cryptographic hash function.
What is the difference between SHA-1, SHA-256, and SHA-512?
They differ in hash length and security strength. SHA-256 and SHA-512 are more secure and recommended for modern applications, while SHA-1 is considered deprecated for high-security use cases.
Is my secret key safe?
Yes. All HMAC calculations are performed locally in your browser using the Web Crypto API. Your message and secret key are never transmitted to any server.
Can I use this output directly in production?
Yes, but you should still validate output in your real runtime environment before deployment. HMAC Generator is designed for fast local verification and clean copy-ready results.
Does this tool run fully client-side?
Yes. All processing happens in your browser and no input is uploaded to a server.
How can I avoid formatting or parsing errors?
Use well-formed input, avoid mixed encodings, and paste minimal reproducible samples first. Then scale to full content after the preview looks correct.