HMAC Generator
Compute keyed-hash message authentication codes (HMAC) using SHA-1, SHA-256, SHA-384, or SHA-512. The same primitive that signs JWT HS256 tokens and webhook payloads.
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a construction that turns a hash function and a secret key into a way to verify both the integrity and the authenticity of a message. Two parties who share a key can confirm a message has not been altered and was produced by someone who knows the key. Unlike a digital signature, HMAC is symmetric — the same key both produces and verifies.
Common HMAC use cases
- Webhook signing. Stripe, GitHub, and others sign webhook payloads so receivers can detect tampering and replay.
- JWT HS256. The HS256 algorithm in JWT is literally
HMAC-SHA256(secret, header + "." + payload). - API request signing. AWS Signature Version 4, for example, derives a signing key with HMAC-SHA256.
- Session token integrity. Sealing a session ID so it can't be modified by the client.
Constant-time comparison. When verifying an HMAC server-side, compare with a constant-time function (Node's crypto.timingSafeEqual, Python's hmac.compare_digest). Naive equality checks leak information through timing.
FAQ
How long should the key be?
For HMAC-SHA256, a 256-bit (32-byte) key is ideal. Shorter keys are still safe but reduce the strength to the key's entropy. Generate keys with a CSPRNG, not human-chosen strings.
Is HMAC-SHA-1 still safe?
HMAC-SHA-1 remains cryptographically secure for authentication because HMAC depends on different properties than collision resistance. New designs should still prefer HMAC-SHA-256 for defense in depth.
HMAC vs digital signature?
HMAC is symmetric: both parties share the same key. Signatures use asymmetric keys: anyone with the public key can verify, only the holder of the private key can sign. Use signatures when non-repudiation or public verifiability matters.