User Rating 0.0 ★★★★★

Total Usage 1 times

Category Security

Configuration

Hashing Algorithm

256-bit output. Standard for most modern APIs.

Secret Key

Mask

0 chars

Message / Payload

0 chars

Calculated Signature

Hex (Base16)

...

Base64

...

Base64URL (No padding, URL safe)

...

Verify Signature

Paste a signature to check for a match.

Is this tool helpful?

Your feedback helps us improve.

★ ★ ★ ★ ★

About

In modern distributed architectures, the integrity of communication between services is non-negotiable. The Hash-based Message Authentication Code (HMAC) standard, defined in RFC 2104, provides a mechanism to verify both the data integrity and the authenticity of a message. Unlike a simple hash, which anyone can generate, an HMAC requires a Secret Key known only to the sender and receiver.

This tool is engineered for developers debugging webhook integrations (e.g., Stripe, Slack, Shopify) or building signed API requests. It leverages the browser's native SubtleCrypto API for maximum performance and security, ensuring that sensitive keys never leave your local environment. It addresses common implementation pitfalls such as character encoding mismatches, hidden whitespace, and incorrect padding in Base64 outputs.

Formulas

The HMAC algorithm uses a specific construction to prevent length-extension attacks that affect simple H(key ∥ message) constructions. The formal definition allows for any iterative cryptographic hash function.

HMAC(K, m) = H((K′ ⊕ opad) ∥ H((K′ ⊕ ipad) ∥ m))

Where:
• H is the hash function (e.g., SHA-256).
• K′ is the key padded to the block size.
• opad is the outer padding byte (0x5c) repeated.
• ipad is the inner padding byte (0x36) repeated.

Reference Data

Standard	Algorithm	Output (Bits)	Output (Hex Chars)	Security Context	Industry Usage
MD5	Message Digest 5	128	32	COMPROMISED	Legacy checksums, non-critical file verification.
SHA-1	Secure Hash Algo 1	160	40	WEAK	Git (historic), older payment gateways (e.g., PayPal IPN).
SHA-256	Secure Hash Algo 2	256	64	RECOMMENDED	Stripe, Shopify, JWT, AWS SigV4, SSL.
SHA-384	Secure Hash Algo 2	384	96	HIGH	NSA Suite B, Top Secret classification systems.
SHA-512	Secure Hash Algo 2	512	128	MAXIMUM	Future-proofing, high-entropy password hashing.

Frequently Asked Questions

This is the most common issue. Check three things: 1) **Whitespace**: Does your message string have a trailing newline (`\n`) that you can't see? 2) **Encoding**: Does the API expect the key to be used as a raw string or decoded from Hex/Base64 first? 3) **URL Safety**: Are you using standard Base64 (`+` and `/`) instead of Base64URL (`-` and `_`)?

The underlying cryptographic signature is a sequence of raw bytes (binary). **Hex** represents each byte as two hexadecimal characters (0-9, a-f). **Base64** encodes these bytes into ASCII characters to make them safe for transport over text-based protocols like HTTP headers. They represent the exact same mathematical value.

Yes, with a caveat. This tool runs **entirely in your browser** (client-side). Your keys are never sent to our servers. However, browser extensions or malware on your own machine could theoretically snoop on the DOM. For high-value production keys (like live banking credentials), always rotate them after testing in any web-based tool.

To prevent **Replay Attacks**. If an attacker intercepts a valid signed request, they could theoretically resend it later to repeat the action (e.g., refunding a charge twice). Including a timestamp in the signed message forces the server to reject requests that are too old (usually >5 minutes).

Never choose SHA-1 for new applications; it is cryptographically weak. Only use SHA-1 if you are integrating with a legacy system that does not support newer algorithms. SHA-256 is the current industry standard for balance between security and performance.