HMAC-SHA256 is a keyed hash that combines a secret key with a message using SHA-256 to produce a 256-bit authentication tag. It proves both that the message is intact and that it came from someone holding the key.

Why use HMAC instead of a plain SHA-256 hash?

A plain hash can be recomputed by anyone, so it only checks integrity. HMAC mixes in a secret key, so only parties with the key can produce or verify the tag, which also defends against length-extension attacks.

When should I read the key as hex instead of text?

Use hex when your secret is stored as raw bytes, such as a 32-byte signing key printed as 64 hex characters. Use UTF-8 text when the secret is a human-readable string like a passphrase.

Is this the same code webhook providers use to sign requests?

Yes. Many providers, including Stripe and GitHub, sign webhook payloads with HMAC-SHA256. You can paste the payload and your signing secret here to reproduce and compare the signature.

Is my key sent to a server?

No. The HMAC is computed in your browser with the Web Crypto API, so your key and message never leave your device.

HMAC-SHA256 Generator

HMAC-SHA256 is a keyed-hash message authentication code: it mixes a secret key with a message and the SHA-256 hash function to produce a 256-bit tag. Unlike a plain hash, the tag cannot be forged or recomputed without the key, which is why APIs and webhook providers use it to sign requests. This tool computes it locally using the browser’s Web Crypto API.

How it works

HMAC is defined (RFC 2104) as:

HMAC(K, m) = H( (K' XOR opad) || H( (K' XOR ipad) || m ) )

where H is SHA-256, K' is the key padded or hashed to the block size, ipad/opad are fixed padding constants, and || is concatenation. The double-hashing structure is what makes HMAC resistant to length-extension attacks that affect naive H(key || message) constructions.

This tool imports your key as raw bytes (interpreting it as UTF-8 text or hex), signs the message with crypto.subtle.sign, and renders the resulting 32-byte MAC as both lowercase hex (64 characters) and Base64.

Tips

To verify a provider’s webhook signature, paste the exact raw request body as the message and your signing secret as the key, then compare the hex output to the signature header.
The same key and message always produce the same tag; any change to either, even one byte, completely changes the output.
Computation is local — your secret never leaves the browser.