logo
GeekFormat

HMAC Generator & Verifier

Hashi algorithm

The recommended key length corresponds to the length of the Hash output: SHA-1=20 bytes, SHA-256=32 bytes, SHA-384=48 bytes, SHA-512=64 bytes

Message Contents0 chars
HMAC Signature (Hex)
Waiting for input...

Notes

  • HMAC Generates signatures based on key and Hashi algorithms for authentication of source and integrity
  • Support SHA-1 / SHA-256 / SHA-384 / SHA-512
  • Generate and validate both locally in browsers, without uploading data
  • Validation uses fixed length by bytes to reduce time series differences

Free online HMAC signature generator and verifier supporting HMAC-SHA256/384/512/SHA1/MD5. Perfect for Stripe/GitHub/Shopify webhook signature verification with Hex/Base64/Base64URL output.

Related

Use Cases

  • Stripe webhook development: Debug Stripe payment callbacks, verify `Stripe-Signature` header correctness
  • GitHub webhook integration: Verify `X-Hub-Signature-256` signature for GitHub Push and Pull Request events
  • Shopify order synchronization: Verify `X-Shopify-Hmac-Sha256` signature for Shopify order update webhooks
  • Slack bot signatures: Verify `X-Slack-Signature` for Slack event callbacks
  • JWT development debugging: Sign JWTs with HS256, verify token validity
  • API request signing: Implement AWS Signature V4 or custom API signing schemes

Features

  • Multiple algorithm support: HMAC-SHA256/384/512, SHA1, MD5 — covers modern APIs and legacy systems
  • Webhook signature verification: Built-in support for Stripe/GitHub/Shopify/Slack signature formats with auto-parsing
  • Triple output formats: Hex / Base64 / Base64URL — matches any API or platform requirement
  • Real-time generation: Auto-calculate on input change with 300ms debounce, no button clicking needed
  • Signature verification mode: Paste expected signature to compare, real-time match result display
  • Key length detection: Real-time key strength monitoring with warnings for short keys
  • Browser-based processing: Web Crypto API for local computation, keys never uploaded to server
  • JWT support: HMAC-SHA256 output directly usable for HS256 signing

How to Use

  1. Select algorithm: Default HMAC-SHA256, recommended for modern APIs
  2. Enter message: Paste raw message body or API request content
  3. Enter key: Input Webhook Secret or API Secret
  4. Choose format: Select output format (hex for Stripe, Base64URL for JWT)
  5. Verify signature: Switch to verification mode, paste expected signature to compare

FAQ

What's the difference between HMAC and regular hashing?

Regular hash functions (like SHA256) only compute a digest of the message itself — anyone can calculate them. HMAC introduces a secret key into the hashing process, so only parties with the key can generate or verify a valid signature. HMAC guarantees both message integrity and authenticity, while regular hashes only verify integrity.

How to verify Stripe/GitHub/Shopify webhook signatures?

Different platforms format their signatures differently: Stripe uses the `Stripe-Signature` header with format `t=timestamp,v1=hex_signature`, signing the string `timestamp.payload`; GitHub uses `X-Hub-Signature-256` with format `sha256=hex_signature`; Shopify uses `X-Shopify-Hmac-Sha256` with Base64-encoded value. This tool supports direct verification of these common formats.

What's the difference between Hex, Base64, and Base64URL output?

Hex is hexadecimal format (0-9, A-F), human-readable, great for debugging. Base64 is a 64-character encoding that's more compact, ideal for embedding in JSON. Base64URL is the URL-safe version (replacing +/ with -_), used in JWT headers and URL parameters.

Which HMAC algorithm should I use?

**HMAC-SHA256 is recommended**: it's the modern standard for APIs and webhooks (used by Stripe, GitHub, Shopify, Slack), with 32-byte output and universal support. SHA-512 offers higher security but longer output (64 bytes). SHA1 is for legacy systems only. MD5 is deprecated and should only be used for very old APIs.

What are the requirements for key length?

Longer keys are more secure. Minimum 16 characters (128 bits) recommended, 32+ characters for production. The tool monitors key length and warns if too short. Use cryptographically secure random number generators for keys, not simple passwords or predictable strings.

Why does signature verification show mismatch?

Common causes: 1) Message contains extra whitespace or newlines; 2) Platform signs a composite string (e.g., Stripe signs `timestamp.payload`); 3) Signature includes a prefix you need to strip (like GitHub's `sha256=`); 4) Different algorithm used. Check that both sides use identical parameters.

Can HMAC be used for JWT signing?

Yes. JWT's HS256 algorithm is HMAC-SHA256, and HS512 is HMAC-SHA512. HMAC-SHA256 output from this tool can be directly used as the signature content for HS256. JWT Header and Payload are Base64URL-encoded, then signed with HS256.

Is this online HMAC tool secure?

This tool uses Web Crypto API for all calculations in your browser locally. Keys and messages are never sent to any server. You can verify this by opening browser DevTools Network panel — no external requests are made. Suitable for testing and development; for highly sensitive production keys, use local offline tools.

Can HMAC signatures be forged?

No. HMAC security depends on key secrecy and hash algorithm collision resistance. With sufficiently long and random keys, there are no known attacks that can forge valid HMAC signatures. Regular key rotation is a good security practice.

What is HMAC Generator & Verifier?

HMAC (Hash-based Message Authentication Code) is a widely-used message authentication technology defined in RFC 2104. HMAC processes a key together with a message through a hash function to produce a fixed-length signature. Unlike regular hashes, HMAC requires knowing the key to generate or verify a signature, guaranteeing both message integrity and authenticity.

**HMAC is the foundation of modern API security**. Stripe, GitHub, Shopify, Slack, and Twilio use HMAC-SHA256 to sign webhook events, ensuring requests actually come from the platform. AWS uses HMAC-SHA256 for Signature V4 request signing. JWT's HS256 algorithm is essentially HMAC-SHA256. Understanding HMAC is the first step to mastering API security.

**Different platforms have different signature formats**: Stripe's format is `t=timestamp,v1=hex_signature`, signing `timestamp.payload`; GitHub uses `X-Hub-Signature-256` with format `sha256=hex_signature`; Shopify uses `X-Shopify-Hmac-Sha256` with Base64-encoded value. This tool supports automatic parsing and verification for these common formats.

**Why does signature verification fail?** The most common reason is message format mismatch: the platform might sign `timestamp.payload` instead of the raw message body; or the message contains extra newlines; or the signature includes a prefix (like `sha256=`) that needs removing. Check the platform documentation carefully and compare using the raw hexadecimal value.

This tool uses the browser's native **Web Crypto API** (SubtleCrypto) for HMAC calculations — the same cryptographic library that powers HTTPS and TLS. All computation happens locally; keys and messages are never sent to any server. Open browser DevTools Network panel to verify no external requests are made.