HMAC Generator — Keyed Signatures for APIs and Webhooks
Generate and verify HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 authentication codes entirely in your browser — no server contact, no data logged. Includes hex and Base64 output, timing-safe HMAC verification, and pre-formatted webhook signature headers for GitHub, Stripe, and Shopify.
Enter the message, key, and expected HMAC to verify authenticity. Comparison is done byte-by-byte to prevent timing attacks.
Enter a payload and secret key to see the formatted webhook signature header as it would appear for each platform.
GitHub
Stripe
Shopify
How to Use the HMAC Generator
- On the Generate tab, choose your algorithm (HMAC-SHA256, SHA384, or SHA512) and output format (Hex or Base64).
- Enter the message (payload to sign) and your secret key — the HMAC appears automatically.
- Click Copy HMAC to copy the result for use in your API request header or test suite.
- Switch to Verify to paste an expected HMAC alongside your message and key — the tool checks them using a timing-safe comparison.
- Open the Webhooks tab, enter a JSON payload and secret to see correctly formatted signature headers for GitHub, Stripe, and Shopify.
Key Features
- HMAC-SHA256, SHA384, and SHA512: Choose the algorithm required by your platform or security policy.
- Hex and Base64 output: Select the encoding format that matches your target system — GitHub uses hex, Shopify uses Base64.
- Timing-safe HMAC verification: The Verify tab compares HMACs byte-by-byte to prevent timing attacks in your testing workflow.
- Pre-formatted webhook headers: The Webhooks tab produces ready-to-use signature strings for GitHub (X-Hub-Signature-256), Stripe (Stripe-Signature), and Shopify (X-Shopify-Hmac-Sha256).
- 100% client-side via Web Crypto API: Your message, key, and computed HMAC are never transmitted to any server.
- Live generation: HMAC updates automatically as you type — no submit button needed.
Use Cases
API Request Signing and Verification
Many REST APIs require HMAC-SHA256 request signatures to prevent replay attacks and ensure payload integrity. Enter your API payload and secret key to generate the correct signature for inclusion in your Authorization or X-Signature header. Use the Verify tab to confirm that an incoming signature matches what you would have computed.
Verify GitHub Webhook Signatures
GitHub signs every webhook delivery with HMAC-SHA256 of the raw request body and sends the result as X-Hub-Signature-256: sha256=<hex>. Paste your webhook payload and secret into the Webhooks tab to generate the expected header value for manual verification during development.
Test Stripe Webhook Authentication
Stripe's signature format is more complex: the signed payload is timestamp.body, and the header is Stripe-Signature: t=<ts>,v1=<hmac-hex>. The Webhooks tab computes this correctly, letting you validate your server-side verification code against a known-good signature.
Shopify Webhook Verification
Shopify sends X-Shopify-Hmac-Sha256 as a Base64-encoded HMAC-SHA256 of the raw body. This is a common source of confusion because Base64 encoding is required, not hex. The Webhooks tab produces the correct Base64 value alongside the GitHub and Stripe formats.
JWT HS256/HS384/HS512 Signature Debugging
JSON Web Tokens signed with HS256, HS384, or HS512 use HMAC under the hood. If you need to manually verify or debug a JWT signature, compute the HMAC of base64url(header).base64url(payload) with your secret key and compare the output against the token's signature component.
FAQ's
A plain hash (SHA-256, MD5) is deterministic and requires no key — anyone who knows the algorithm can compute it. HMAC requires a shared secret key to produce or verify. This means HMAC proves both data integrity and authenticity, while a plain hash only proves integrity when you already trust the transmission channel.
HMAC-SHA256 is the most widely supported and is the standard for most APIs and webhooks. HMAC-SHA384 and HMAC-SHA512 provide extra security margin for high-value scenarios. Avoid HMAC-MD5 and HMAC-SHA1 in new applications — they rely on hash functions with known weaknesses.
GitHub sends X-Hub-Signature-256 containing "sha256=" followed by the HMAC-SHA256 hex of the raw request body, signed with your webhook secret. Compute HMAC-SHA256 on your end with the same secret and compare byte-by-byte using a timing-safe comparison function. Never use regular string equality, which is vulnerable to timing attacks.
A timing-safe comparison checks every byte of both values regardless of where a mismatch occurs, preventing an attacker from inferring how many bytes matched by measuring the response time. Server-side implementations should use crypto.timingSafeEqual() in Node.js or equivalent in other languages.
All computation happens locally in your browser using the Web Crypto API. No data is sent to any server. For production use, implement HMAC generation server-side where your secret key is never exposed to the client. This tool is designed for development, testing, and debugging.
Hex encoding represents each byte as two hexadecimal characters — easy to read and widely used by GitHub and Stripe. Base64 encodes three bytes as four characters, producing a more compact result. Shopify uses Base64 for its HMAC header. This tool supports both formats so you can match any platform's requirements.
Yes. Plain SHA-256 is vulnerable to length extension attacks, where an attacker who knows the hash of a message can compute the hash of a longer message without knowing the key. The HMAC construction applies the hash function twice with inner and outer key padding, which eliminates this vulnerability.
Stripe signs the concatenation of the Unix timestamp and raw request body (timestamp.body) with HMAC-SHA256. The header format is Stripe-Signature: t=<timestamp>,v1=<hmac-hex>. The Webhooks tab in this tool computes this correctly for testing purposes.