How is HMAC different from a regular hash?

A regular hash (like SHA-256) verifies that data has not been modified, but anyone can compute the hash. HMAC combines the hash with a secret key, so only parties who know the key can produce or verify the code. This proves both integrity (data unchanged) and authenticity (sent by someone who knows the key).

Which HMAC algorithm should I use?

HMAC-SHA256 is the most widely used and recommended for new applications. It offers a good balance of security and performance. HMAC-SHA512 provides a larger output and may be faster on 64-bit systems. Avoid HMAC-MD5 and HMAC-SHA1 for new projects as their underlying hash functions have known weaknesses.

Where is HMAC used in practice?

HMAC is used in webhook signature verification (GitHub, Stripe, Slack all sign payloads with HMAC), API authentication (AWS Signature V4 uses HMAC-SHA256), JWT token signing (HS256 algorithm), and TLS/SSL handshakes. Any scenario where you need to verify that a message was sent by a trusted party uses HMAC.

Can HMAC be used for password storage?

HMAC alone is not recommended for password storage because it is designed to be fast, which makes brute-force attacks feasible. For passwords, use dedicated slow-hashing algorithms like bcrypt, scrypt or Argon2 that include built-in salting and configurable work factors.

IPTool

Fast system administrator tools

Home

Generate keyed-hash message authentication codes (HMAC) using SHA-256, SHA-512 and other algorithms. Used to verify both data integrity and authenticity in APIs and webhooks.

HMAC Generator

Computes a hash-based message authentication code (HMAC) using a secret key and your favorite hashing function.

Input text

Secret key

Hashing function

Output encoding

HMAC of your text

What it is

HMAC (Hash-based Message Authentication Code) is a specific type of message authentication code involving a cryptographic hash function and a secret cryptographic key. It may be used to simultaneously verify both the data integrity and the authenticity of a message.

How it works

Enter the message text and a secret key. Choose a hashing algorithm (e.g., SHA-256) and an output format. The tool will instantly generate the HMAC code.

Examples

API Requests: Many services use HMAC to sign API requests to ensure they haven't been tampered with during transit.
Webhooks: Services may send an HMAC header so you can verify that the message actually came from them.

Limitations & notes

Generation happens locally in your browser using the CryptoJS library. Your secret key and text are never sent to our server.

FAQ

How is HMAC different from a regular hash? A regular hash (like SHA-256) verifies that data has not been modified, but anyone can compute the hash. HMAC combines the hash with a secret key, so only parties who know the key can produce or verify the code. This proves both integrity (data unchanged) and authenticity (sent by someone who knows the key).
Which HMAC algorithm should I use? HMAC-SHA256 is the most widely used and recommended for new applications. It offers a good balance of security and performance. HMAC-SHA512 provides a larger output and may be faster on 64-bit systems. Avoid HMAC-MD5 and HMAC-SHA1 for new projects as their underlying hash functions have known weaknesses.
Where is HMAC used in practice? HMAC is used in webhook signature verification (GitHub, Stripe, Slack all sign payloads with HMAC), API authentication (AWS Signature V4 uses HMAC-SHA256), JWT token signing (HS256 algorithm), and TLS/SSL handshakes. Any scenario where you need to verify that a message was sent by a trusted party uses HMAC.
Can HMAC be used for password storage? HMAC alone is not recommended for password storage because it is designed to be fast, which makes brute-force attacks feasible. For passwords, use dedicated slow-hashing algorithms like bcrypt, scrypt or Argon2 that include built-in salting and configurable work factors.

Menu

HMAC Generator

What it is

How it works

Examples

Limitations & notes

FAQ

Related tools