JSONToTable
Loading HMAC Generator...
Please wait a moment

How to Generate HMAC Signatures - Step by Step Guide

Sign payloads with secret keys for authentication and integrity checks

Step 1

Enter Message and Secret Key

Provide the payload and secret key exactly as your server expects. The SubtleCrypto.sign() method generates the HMAC signature using your chosen algorithm.

Message: Paste the raw request body, webhook payload, or any text content to sign.
Secret key: Enter the shared secret from your API provider or webhook configuration.
Try sample: Click Sample to load a payment event JSON with a demo secret key.

Example — signing a webhook payload:

Message: {"event":"payment","id":"pay_1001","amount":149.00}
Secret:  my-demo-secret-key
Algorithm: HMAC-SHA-256

HEX:    a3f2b1c4d5e6...
Base64: o/KxxNXm...

→ Use the HEX or Base64 signature in your X-Signature header
Step 2

Select HMAC Algorithm

Choose the SHA variant matching your integration contract. Most GitHub webhook signatures and payment APIs use HMAC-SHA-256.

HMAC-SHA-256: Most common for webhook signatures, API authentication, and RFC 2104 compliant workflows.
HMAC-SHA-512: Higher-security variant used in enterprise authentication and financial APIs.
HMAC-SHA-1: Legacy support for older integrations — not recommended for new implementations.
Step 3

Copy HEX or Base64 Signature

Both output formats are generated simultaneously. Use the format your API or webhook provider expects.

HEX format: Lowercase hexadecimal — standard for GitHub, Stripe, and most webhook X-Signature headers.
Base64 format: Compact encoding used in AWS Signature V4 and some REST API authentication flows.
Real-time updates: Signature regenerates automatically as you change message, secret, or algorithm.
Step 4

Export or Verify

Download the signature output or use HMAC Verify to validate a received signature against the expected value.

Copy: Copy the full signature output including algorithm, HEX, and Base64 values.
Download: Save the signature as a text file for integration testing or documentation.
Verify: Use HMAC Verify to confirm a received webhook signature matches the expected HMAC.

Frequently Asked Questions

Why do my signatures mismatch?

Most mismatches come from payload whitespace or newline differences, wrong secret encoding, or using a different algorithm than the server expects. Ensure the message bytes match exactly.

Is my secret key safe?

Yes. HMAC signing is performed entirely in your browser using the W3C Web Crypto API. Your secret key and message never leave the browser.

How do I verify a signature?

Use HMAC Verify with the same algorithm, secret, and payload to check if a received signature matches the computed HMAC.

What is the difference between HMAC and plain hashing?

Plain hashing (SHA-256) creates a digest from content only. HMAC adds a secret key, making the signature unforgeable without knowing the key. This is critical for webhook and API authentication.

Can I compare output with server-side code?

Yes. For the same UTF-8 message and key, the output matches Node.js crypto.createHmac(), Python hmac module, and OpenSSL dgst -hmac.

Related Tools

Hash Compare

Compare two inputs by digest and verify whether their hashes match exactly

Checksum Verify

Compute hash and verify it against an expected checksum with pass/fail status

File Checksum Generator

Generate SHA checksums for uploaded files with SHA-1, SHA-256, SHA-384, and SHA-512

Multi-Hash Generator

Generate SHA-1, SHA-256, SHA-384, and SHA-512 digests together from a single input

HMAC Verify

Verify HMAC signatures against expected HEX/Base64 values with pass/fail output

SHA-256 Generator

Generate SHA-256 hash online in HEX and Base64 formats for text and file content verification