HMAC Generator (SHA-1 / 256 / 384 / 512)

How to use

1. Paste the message and the key.
2. Pick key encoding (UTF-8 is most common; Stripe uses UTF-8, GitHub uses UTF-8, AWS SigV4 uses derived hex keys).
3. Choose algorithm and output format — the result updates live.

Frequently asked questions

Which algorithm should I use?

HMAC-SHA256 is the modern default — used by Stripe, GitHub, Shopify, AWS SigV4. Avoid SHA-1 for new code (though it's still safe against HMAC attacks; just not future-proof).

Why are key encodings needed?

Some APIs give you the secret as a Base64 or Hex string. Treating those as UTF-8 produces a different signature than the server computes. Match the encoding of the published secret.

Is hex vs Base64 output meaningful?

Each API expects one — GitHub wants hex prefixed with `sha256=`, Stripe wants hex too, Slack wants hex, AWS uses hex. Base64 shows up in some custom protocols.

Can this verify a signature?

Indirectly — compute the HMAC of the message/key, then compare to the expected signature. For safety, do that comparison in constant time (which a browser's `===` is not).

Related tools