HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message using a secret key combined with a hash function like SHA-256.

What are HMAC signatures used for?

HMAC signatures are primarily used for webhook verification (GitHub, Stripe, Slack), API request signing, and ensuring data has not been tampered with during transmission.

✍️ Security

HMAC Generator & Verifier

Generate HMAC-SHA256 and HMAC-SHA512 signatures for webhook validation and API request signing. Verify incoming webhook payloads against their expected signatures. All cryptographic operations run in your browser via the Web Crypto API.

⚡ Webhook Presets

Algorithm

Secret Key

Message / Payload

Output Format

✅ HMAC-SHA256 Signature

Enter a secret key and message above to generate the signature…

🔍 Verify Signature

Paste an incoming webhook signature to verify it matches the computed HMAC above.

Expected Signature (from webhook header)

🔍Enter a signature to verify against the computed HMAC

📖 Verification Code Examples

Privacy: HMAC computation uses the browser's native crypto.subtle.sign() API. Your secret key and payload never leave your browser.

📖 How to Use This Tool

▼

Select a webhook preset (GitHub, Stripe, Slack)

Enter your secret key and the message payload

Choose format: hex, base64, or sha256=hex

Paste a signature in Verify to check if it matches

📝 Examples

GitHub webhook

Input: Secret + JSON body

Output: sha256=a1b2c3d4...