Searchlight
Tools
BlogAbout
Free SEO Audit
Back to home
๐Ÿ“ˆSEO & Analytics
๐Ÿ—‚๏ธText & Data
๐Ÿ”Encoders & Decoders
Base64 TextBase64 FileURL EncoderHTML EntitiesNumber Base ConverterJWT DecoderMorse CodeROT13 / Caesar CipherHash GeneratorHMAC GeneratorHex โ†” Base64
โšกGenerators
๐Ÿ”„Converters
๐Ÿ–ผ๏ธImage Tools
๐Ÿ“„PDF Tools
๐Ÿ’ปCode Tools
๐Ÿ”Regex & Parsing
๐ŸงฎCalculators
๐Ÿ—บ๏ธDiagrams
๐ŸŒNetwork & Web
โœ๏ธText Utilities
๐ŸŽจColor Tools
๐Ÿ”€Diff & Compare
148+ tools. OAuth is read-only.
Searchlight

148+ free SEO, developer, image, PDF, and productivity tools - no account needed.

Free ยท all tools included
Company
  • Blog
  • About
  • Free SEO Audit
Legal
  • Privacy Policy
  • Terms of Service
  • Cookie Policy

ยฉ 2026 Searchlight. All rights reserved.

Read-only OAuth ยท No data reselling ยท Completely free

HMAC Generator

Generate HMAC signatures using the Web Crypto API. All computation happens locally in your browser.

About this tool

Generate HMAC (Hash-based Message Authentication Code) signatures using SHA-256, SHA-512, SHA-1, or MD5. Enter your message and secret key to produce the HMAC digest in hex or Base64 format. Used for API request signing, webhook verification (Stripe, GitHub, Shopify), and JWT HMAC signatures.

How to Generate an HMAC Signature

  1. 1Enter your message or paste the request body to sign.
  2. 2Enter the secret key (from your API provider or your own secret).
  3. 3Select the hash algorithm (SHA-256 is standard).
  4. 4Choose output format: hex (for most APIs) or Base64.
  5. 5Copy the generated HMAC and include it in your request header.

Frequently Asked Questions

What is HMAC and how does it work?+
HMAC combines a cryptographic hash function with a secret key to produce a message authentication code. It proves both that the message hasn't been tampered with (integrity) and that the sender knows the secret key (authentication).
How do I verify a Stripe webhook with HMAC?+
Stripe sends a Stripe-Signature header containing a timestamp and HMAC-SHA256 signature of the payload signed with your webhook secret. Recompute the HMAC locally and compare - if they match, the webhook is authentic.
What is the difference between HMAC and a simple hash?+
A plain hash of a message can be recomputed by anyone. HMAC requires knowing the secret key. Without the key, an attacker cannot forge a valid HMAC even if they know the message.
Should I use HMAC-SHA256 or HMAC-SHA512?+
HMAC-SHA256 is standard and sufficient for most applications. HMAC-SHA512 provides a larger output and is marginally faster on 64-bit CPUs, but either is secure for API signing and webhook verification.
Looking for a deeper guide on this topic? Browse the Searchlight blog.
Visit the blog โ†’

Related tools

View all Encoders & Decoders โ†’
Base64 TextEncode & decode Base64 textBase64 FileEncode images, PDFs & files to Base64URL EncoderURL encode / decode / percent-escapeHTML EntitiesHTML entity encode & decode