User Rating 0.0
Total Usage 1 times
Category Security
Quick Presets:
Configuration
256-bit output. Standard for most modern APIs.
0 chars
0 chars
Calculated Signature
...
...
...
Verify Signature
?
Paste a signature to check for a match.
Is this tool helpful?

Your feedback helps us improve.

About

In modern distributed architectures, the integrity of communication between services is non-negotiable. The Hash-based Message Authentication Code (HMAC) standard, defined in RFC 2104, provides a mechanism to verify both the data integrity and the authenticity of a message. Unlike a simple hash, which anyone can generate, an HMAC requires a Secret Key known only to the sender and receiver.

This tool is engineered for developers debugging webhook integrations (e.g., Stripe, Slack, Shopify) or building signed API requests. It leverages the browser's native SubtleCrypto API for maximum performance and security, ensuring that sensitive keys never leave your local environment. It addresses common implementation pitfalls such as character encoding mismatches, hidden whitespace, and incorrect padding in Base64 outputs.

hmac hash generator api security webhook debugger sha256 cryptography

Formulas

The HMAC algorithm uses a specific construction to prevent length-extension attacks that affect simple H(key message) constructions. The formal definition allows for any iterative cryptographic hash function.

HMAC(K, m) = H((K opad) H((K ipad) m))

Where:
H is the hash function (e.g., SHA-256).
K is the key padded to the block size.
opad is the outer padding byte (0x5c) repeated.
ipad is the inner padding byte (0x36) repeated.

Reference Data

StandardAlgorithmOutput (Bits)Output (Hex Chars)Security ContextIndustry Usage
MD5Message Digest 512832COMPROMISEDLegacy checksums, non-critical file verification.
SHA-1Secure Hash Algo 116040WEAKGit (historic), older payment gateways (e.g., PayPal IPN).
SHA-256Secure Hash Algo 225664RECOMMENDEDStripe, Shopify, JWT, AWS SigV4, SSL.
SHA-384Secure Hash Algo 238496HIGHNSA Suite B, Top Secret classification systems.
SHA-512Secure Hash Algo 2512128MAXIMUMFuture-proofing, high-entropy password hashing.

Frequently Asked Questions

This is the most common issue. Check three things: 1) **Whitespace**: Does your message string have a trailing newline (`\n`) that you can't see? 2) **Encoding**: Does the API expect the key to be used as a raw string or decoded from Hex/Base64 first? 3) **URL Safety**: Are you using standard Base64 (`+` and `/`) instead of Base64URL (`-` and `_`)?
The underlying cryptographic signature is a sequence of raw bytes (binary). **Hex** represents each byte as two hexadecimal characters (0-9, a-f). **Base64** encodes these bytes into ASCII characters to make them safe for transport over text-based protocols like HTTP headers. They represent the exact same mathematical value.
Yes, with a caveat. This tool runs **entirely in your browser** (client-side). Your keys are never sent to our servers. However, browser extensions or malware on your own machine could theoretically snoop on the DOM. For high-value production keys (like live banking credentials), always rotate them after testing in any web-based tool.
To prevent **Replay Attacks**. If an attacker intercepts a valid signed request, they could theoretically resend it later to repeat the action (e.g., refunding a charge twice). Including a timestamp in the signed message forces the server to reject requests that are too old (usually >5 minutes).
Never choose SHA-1 for new applications; it is cryptographically weak. Only use SHA-1 if you are integrating with a legacy system that does not support newer algorithms. SHA-256 is the current industry standard for balance between security and performance.