What's the difference between HMAC and a plain SHA-256 hash?

A plain SHA-256 digest is unkeyed — anyone can recompute it, so it proves a message wasn't altered but not who produced it. HMAC mixes a shared secret key into the hash, so a correct tag also proves the sender knew the key. That authenticity property is why webhook senders sign request bodies with HMAC rather than a bare hash.

My webhook signature doesn't match — what should I check first?

Almost always the key encoding or the exact bytes of the message. Confirm whether the provider's secret is UTF-8 text, hex, or base64 and pick the matching mode here. Then make sure you're signing the raw request body byte-for-byte — a re-serialized JSON object with different whitespace, or a trailing newline, changes the tag. HMAC is deterministic, so identical inputs always match.

Should the output be hex or base64?

Whatever the receiver expects. GitHub sends `sha256=` followed by hex; many providers (including Stripe-style schemes) use hex too; some use base64. The bytes are identical — hex and base64 are just two encodings of the same tag. This tool gives you both so you can paste whichever your verification code compares against.

Is HMAC-SHA1 still safe to use?

For HMAC specifically, yes — the collision weaknesses that broke SHA-1 as a plain hash do not translate into a practical HMAC-SHA1 forgery, and protocols like TOTP still rely on it. That said, prefer HMAC-SHA256 for anything new; only stay on SHA-1 when an existing system (an old webhook, a legacy device) requires it.

Do you store my key or message?

No. Everything runs in your browser via WebCrypto. The key and message are never sent anywhere, and unlike the algorithm/encoding preference, they are never written to localStorage or the URL.

Verify a Stripe / payment-provider webhook signature by hand

A webhook isn't firing your handler and you suspect the signature check. Grab the raw request body from your logs, paste it as the message, take the webhook signing secret (Stripe's `whsec_...` is UTF-8 text), choose HMAC-SHA256, and compare the hex output against the `t=...,v1=...` value in the `Stripe-Signature` header. If they match, your verification code has a bug (often it re-parsed the JSON, changing the bytes); if they don't, you're using the wrong secret or signing the wrong payload. Either way you've isolated the problem in two paste operations instead of redeploying with print statements.

Build the X-Signature header your client has to send

You're integrating with an API that requires every request to carry `X-Signature: `. Paste your request body as the message, paste the API key the provider gave you, pick the algorithm their docs specify, and copy the hex (or base64 — read their docs) tag straight into your test in Postman or curl. This lets you confirm the exact tag the server expects before you wire the signing into your code, so you debug the HMAC step in isolation rather than tangled up with auth and routing.

Check the signature segment of a JWT HS256 token

A JWT is being rejected as "invalid signature" and you want to know whether the signature itself is wrong or something upstream is. Take the token's `header.payload` (the first two dot-separated segments, base64url) as the message, paste the HS256 secret, choose HMAC-SHA256, and compare the base64 output against the token's third segment (after converting base64url `-_` to base64 `+/`). If they match, the signature is fine and the problem is claims or expiry; if not, the secret or the signing input differs.

Reproduce a GitHub webhook delivery for testing

GitHub signs webhook payloads with HMAC and sends `X-Hub-Signature-256: sha256= `. To replay a delivery against your local server, copy the exact JSON payload as the message, paste your webhook secret as a UTF-8 key, pick HMAC-SHA256, and prepend `sha256=` to the hex output to recreate the header. Now you can curl your endpoint with a signature it will actually accept, without waiting for GitHub to send a real event.

Diagnose a hex-vs-base64 or key-encoding mismatch

Two systems agree on the secret but disagree on the tag. Paste the shared message and key, then toggle the key encoding between UTF-8, hex, and base64 and watch the byte-length readout: a 32-byte random key stored as 64 hex chars decodes to 32 bytes under "hex" but to 64 bytes under "UTF-8", producing two entirely different tags. Flip between the hex and base64 outputs too — if one side compared base64 while the other compared hex, the tags "differ" only because they're different encodings of the same bytes.

HMAC Generator — SHA-1 / SHA-256 / SHA-384 / SHA-512

HMAC-SHA1/256/384/512 — message + secret key, output in hex and base64, key read as UTF-8/hex/base64 — 100% in-browser

Runs locally
Category Encoding & Crypto
Best for Checking small payloads, tokens, hashes, and encoded values quickly.

Algorithm

Message

0 chars · 0 bytes

Secret key

Key is

Message and key stay in your browser — never uploaded, never stored.

HMAC (hex)

—

HMAC (base64)

—

What this tool does

Free online HMAC generator. Paste the exact message you want to sign, type your secret key, pick HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512, and read the tag back in both lowercase hex and standard base64 — the two forms every webhook and API doc pastes. Signing runs entirely in your browser through the native WebCrypto `crypto.subtle.sign` API, so the message and the key never leave the page, never hit a server, and are never logged.

The detail most online HMAC tools get wrong is the key encoding. A secret can legitimately be UTF-8 text (`whsec_...`), raw hex (a 32-byte key written as 64 hex characters), or base64 (Stripe-style). Feed the same key bytes in the wrong interpretation and you get a valid-looking but completely wrong tag — the classic reason a webhook signature check fails even though "the key is right". This tool lets you choose UTF-8, hex, or base64 explicitly and shows the resulting key length in bytes so you can confirm you decoded it the way the sender encoded it.

Use it to reproduce the signature a payment provider sent in an `X-Signature` header, to build the signing header your own HTTP client has to attach, to verify a GitHub or Shopify webhook by hand, or to sanity-check the HMAC step inside a JWT HS256 token. Because HMAC is deterministic, the same algorithm, message, key, and key encoding always produce the same tag — so a mismatch means one of those four differs, and this tool helps you find which one.

Tool details

Input: Text + Numbers; The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output: Live result + Copy; The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy: Browser-side processing; The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share: Local preference storage; Preferences, history, or drafts are saved in this browser without an account.
Performance budget: Initial JS <= 14 KB; No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit: Encoding & Crypto · Developer; Category and role tags drive related tools, internal links, and quick fit checks.

How to use

1. Input

Paste or drop your content into the tool panel.
2. Process

Click the button. All processing is local in your browser.
3. Copy / Download

Copy the result or download to disk in one click.

How HMAC Generator fits into your work

Use it for quick browser-side encoding, decoding, hashing, token checks, and share-safe transformations.

Encoding jobs

Checking small payloads, tokens, hashes, and encoded values quickly.
Preparing values for APIs, URLs, docs, or support tickets.
Avoiding account-based tools when the input might be sensitive.

Encoding checks

Do not paste live secrets unless you are comfortable with local browser handling.
Confirm whether the operation is reversible before sharing the result.
For hashes, compare the exact algorithm and casing expected by the receiver.

Good next steps

These links move the current task into a more complete workflow.

Real-world use cases

Verify a Stripe / payment-provider webhook signature by hand
A webhook isn't firing your handler and you suspect the signature check. Grab the raw request body from your logs, paste it as the message, take the webhook signing secret (Stripe's `whsec_...` is UTF-8 text), choose HMAC-SHA256, and compare the hex output against the `t=...,v1=...` value in the `Stripe-Signature` header. If they match, your verification code has a bug (often it re-parsed the JSON, changing the bytes); if they don't, you're using the wrong secret or signing the wrong payload. Either way you've isolated the problem in two paste operations instead of redeploying with print statements.
Build the X-Signature header your client has to send
You're integrating with an API that requires every request to carry `X-Signature: <hmac of the body>`. Paste your request body as the message, paste the API key the provider gave you, pick the algorithm their docs specify, and copy the hex (or base64 — read their docs) tag straight into your test in Postman or curl. This lets you confirm the exact tag the server expects before you wire the signing into your code, so you debug the HMAC step in isolation rather than tangled up with auth and routing.
Check the signature segment of a JWT HS256 token
A JWT is being rejected as "invalid signature" and you want to know whether the signature itself is wrong or something upstream is. Take the token's `header.payload` (the first two dot-separated segments, base64url) as the message, paste the HS256 secret, choose HMAC-SHA256, and compare the base64 output against the token's third segment (after converting base64url `-_` to base64 `+/`). If they match, the signature is fine and the problem is claims or expiry; if not, the secret or the signing input differs.
Reproduce a GitHub webhook delivery for testing
GitHub signs webhook payloads with HMAC and sends `X-Hub-Signature-256: sha256=<hex>`. To replay a delivery against your local server, copy the exact JSON payload as the message, paste your webhook secret as a UTF-8 key, pick HMAC-SHA256, and prepend `sha256=` to the hex output to recreate the header. Now you can curl your endpoint with a signature it will actually accept, without waiting for GitHub to send a real event.
Diagnose a hex-vs-base64 or key-encoding mismatch
Two systems agree on the secret but disagree on the tag. Paste the shared message and key, then toggle the key encoding between UTF-8, hex, and base64 and watch the byte-length readout: a 32-byte random key stored as 64 hex chars decodes to 32 bytes under "hex" but to 64 bytes under "UTF-8", producing two entirely different tags. Flip between the hex and base64 outputs too — if one side compared base64 while the other compared hex, the tags "differ" only because they're different encodings of the same bytes.

Common pitfalls

Signing the wrong bytes. HMAC is over the raw message exactly as sent — if you re-serialize a JSON body, re-order keys, or add/strip a trailing newline before signing, you get a different tag than the sender did. Always sign the byte-for-byte payload, not a reconstructed object.
Misreading the key encoding. A 32-byte key written as 64 hex characters is NOT the same as that 64-character string treated as UTF-8 text — they decode to different bytes and different tags. Match the key mode (UTF-8 / hex / base64) to how the other side encoded the secret, and use the byte-length readout to confirm.
Comparing different output encodings. hex and base64 are two encodings of the identical tag bytes; if your code base64-decodes the expected value but you paste the hex form (or vice versa) the comparison fails for no cryptographic reason. Pick the encoding the receiver actually compares against.

Privacy

The entire computation — decoding your key (UTF-8 / hex / base64), importing it as a WebCrypto key, and signing the message with HMAC-SHA1/256/384/512 — runs in your browser tab via the native `crypto.subtle` API. The message and the secret key are never uploaded, never logged, and never appear in any analytics. Unlike tools that put state in the URL for sharing, this tool deliberately keeps the message and key out of both the URL and localStorage, because a leaked signing key compromises every signature it ever made. The only thing persisted locally is your non-sensitive UI preference (which algorithm and key encoding you last picked), so the page remembers your setup without ever remembering your secrets.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Developer

Browse all tools for this role

HMAC Generator — SHA-1 / SHA-256 / SHA-384 / SHA-512

What this tool does

Tool details

How to use

1. Input

2. Process

3. Copy / Download

How HMAC Generator fits into your work

Encoding jobs

Encoding checks

Good next steps

Real-world use cases

Verify a Stripe / payment-provider webhook signature by hand

Build the X-Signature header your client has to send

Check the signature segment of a JWT HS256 token

Reproduce a GitHub webhook delivery for testing

Diagnose a hex-vs-base64 or key-encoding mismatch

Common pitfalls

Privacy

FAQ

MD5 / SHA Hash Generator

JWT Encoder

File Hash Calculator

Bcrypt Generator

Base64 Encoder & Decoder

AES Text Encryptor

Affine Cipher Encoder & Decoder

Atbash Cipher

Bacon Cipher Encoder & Decoder

Base32 / Base58 Encoder & Decoder

Base62 Encoder & Decoder

Base64 Block Deduplicator