HMAC Generator
Calculate secure Hash-based Message Authentication Codes instantly. A sandboxed, client-side tool for debugging webhook signatures and API authentication headers.
Enter both a message and a secret key to generate the HMAC.
The Mathematics of HMAC (RFC 2104)
The Kodivio HMAC Engine provides a transparent implementation of the standard defined in RFC 2104. Unlike a basic cryptographic hash, an HMAC does not simply hash the payload and the secret key together. Doing so leaves the system vulnerable to length extension attacks, where hackers can append malicious data to the end of your payload without invalidating the hash.
To solve this, HMAC performs a brilliant double-hashing maneuver. First, the algorithm mathematically pads your Secret Key and XORs it with an inner padding string (the ipad). It then hashes this result alongside your actual message payload.
Next, it XORs your Secret Key against an outer padding string (the opad), and hashes that result alongside the output of the first hash. This nested, two-step cryptographic operation completely eliminates length extension vulnerabilities and ensures absolute data integrity.
Data Integrity vs Encryption
It is a common misconception among junior developers that an HMAC "encrypts" data. It does not. An HMAC provides Authentication and Integrity, but it provides zero Confidentiality.
When a server sends an API payload with an HMAC signature attached to the headers, the JSON payload itself remains completely readable plaintext. The HMAC simply acts as an unforgeable wax seal on an envelope. If a hacker intercepts the payload and changes "amount": 10 to "amount": 1000, the mathematical hash of the payload changes instantly. When the receiving server calculates its own HMAC and compares it to the attached signature, the mismatch immediately exposes the tampering.
Real-World Developer Use Cases
Stripe & Shopify Webhooks
When a customer pays on Stripe, Stripe sends a JSON webhook to your server. To prove the webhook is genuinely from Stripe, they sign the raw JSON payload using HMAC-SHA256. Developers use tools like this generator to manually verify test webhook payloads while building their billing integrations.
Amazon Web Services (AWS) API
AWS mandates the implementation of Signature Version 4 (SigV4) for all API requests. This protocol heavily relies on nested HMAC-SHA256 calculations involving the date, region, service, and HTTP request payload to guarantee the request hasn't been intercepted and altered in transit.
JSON Web Token (JWT) Signatures
The most popular method for signing JWTs is the HS256 algorithm. This is simply an HMAC-SHA256 signature generated from the Base64Url-encoded header and payload of the token, utilizing a private server secret. This prevents users from altering their JWT to grant themselves administrative privileges.
OAuth 1.0a & Twitter API
Legacy API structures like OAuth 1.0a (still utilized by massive platforms like Twitter) require every single HTTP request to be signed via HMAC-SHA1. This ensures that even if the request is made over an unencrypted channel, the parameters cannot be maliciously modified.
Frequently Asked Questions
What is an HMAC?
HMAC stands for Hash-based Message Authentication Code. It is a specific cryptographic construction utilized to calculate a message authentication code (MAC) involving a cryptographic hash function (like SHA-256 or MD5) combined with a secret cryptographic key. It is universally used in API development to verify both the data integrity and the authenticity of a message.
What is the difference between a Hash and an HMAC?
A standard hash (like a simple SHA-256) takes an input and produces a fixed-length string. Anyone can compute a standard hash if they have the input data. An HMAC, however, requires a Secret Key in addition to the input data. Only someone possessing the exact Secret Key can generate the correct HMAC. This ensures that the message wasn't intercepted and altered by a malicious third party in transit.
Why do APIs and Webhooks use HMAC?
When services like Stripe or GitHub send a webhook (an automated HTTP request) to your server, your server needs a way to guarantee the request is actually from Stripe and not from a hacker trying to spoof a fake payment. Stripe generates an HMAC using a secret key they shared with you, and attaches it to the request header. Your server generates its own HMAC using the same payload and secret key. If the two HMACs match perfectly, the request is authentic.
Which HMAC algorithm should I choose?
For modern web applications in 2026, HMAC-SHA256 is the absolute industry standard. It provides an excellent balance between mathematical speed and impenetrable cryptographic security. HMAC-SHA512 is used in highly sensitive banking environments. HMAC-MD5 and HMAC-SHA1 are considered mathematically deprecated and should only be used to integrate with legacy enterprise systems that cannot be upgraded.
Is this HMAC generator secure for my real secret keys?
Yes, completely. The Kodivio HMAC Engine runs entirely within your browser's local sandbox memory using JavaScript. Your payload and your highly sensitive secret keys are never transmitted to our backend servers, databases, or analytics platforms. It uses a strict Zero-Server architecture, ensuring military-grade privacy for your cryptographic operations.
Why do my HMACs look different when output as Base64 vs Hex?
The raw output of an HMAC operation is a sequence of binary bytes. Because raw binary is difficult to read and transmit over HTTP headers, it must be encoded into text. Hexadecimal encoding uses the characters 0-9 and a-f, resulting in a longer string. Base64 encoding uses 64 different characters (A-Z, a-z, 0-9, +, /), making it much more compact. The underlying cryptographic bytes are identical; only the visual representation changes.
What is a Timing Attack against HMAC verification?
A timing attack occurs when your server compares the HMAC provided by a user against the HMAC generated by your server using a standard string comparison (e.g., stringA == stringB). Standard comparisons fail instantly at the first mismatched character. Hackers can measure these microscopic milliseconds of failure time to mathematically guess your secret key. You must always use a constant-time comparison function (like crypto.timingSafeEqual) to verify HMACs.