← Blogby Marcell Almeida

How to generate HMAC signatures online

Enter a message and secret key — get an HMAC hex digest using the Web Crypto API.

Webhooks, API signatures, and JWT alternatives often use HMAC. The HMAC Generator computes SHA-256, SHA-384, or SHA-512 HMAC in your browser.

Try it — enter message, secret, and algorithm

Open full tool →

How it works

  1. Message — the payload to sign.
  2. Secret key — shared secret between sender and verifier.
  3. Algorithm — SHA-256 is the default choice for most APIs.

When to use HMAC

HMAC verifies that a message was not tampered with and was sent by someone who knows the secret. Common in webhook verification (Stripe, GitHub, Slack) and API request signing.

Output format

Lowercase hexadecimal string — the standard format expected by most API documentation.

The How to generate HMAC signatures online is free, runs locally, and never sends your data to a server. More developer tools at maratool.com.