Generate secure HMAC signatures instantly in your browser
HMAC is computed locally using the browser's Web Crypto API (SubtleCrypto.sign). Your message and secret key are never sent to any server.
An HMAC (Hash-based Message Authentication Code) lets you verify both the integrity and authenticity of a message using a shared secret key. This free HMAC generator uses the browser's Web Crypto API to produce a hex-encoded signature with SHA-256, SHA-384, or SHA-512 — entirely client-side. No data ever leaves your browser, making it safe for sensitive payloads and API secret verification.
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a signature. It is used to verify that a message has not been tampered with and that it came from someone who knows the shared secret — common in API authentication, webhooks, and JWT signing.
SHA-256 is the most widely supported and is sufficient for almost all use cases. SHA-384 and SHA-512 produce longer outputs (384 and 512 bits respectively) and offer a higher security margin, which is useful when signing very sensitive data or when future-proofing against advances in computing power.
Yes. This tool runs entirely in your browser using the Web Crypto API. Neither your secret key nor your message is ever sent to a server. You can verify this by checking the browser's network tab — no outbound requests are made when you type.
An empty string is technically a valid key in HMAC — the algorithm will still run and produce a deterministic output. However, an empty key provides no security because anyone can reproduce the signature without knowing a secret. Always use a strong, randomly generated key in production.