utilAZ Logo

HMAC Generator

Generate HMAC (Hash-based Message Authentication Codes) using various hash algorithms

HMAC Generator

Characters: 57 | Bytes: 57
Security: Excellent - Industry standard

HMAC Result

Real-time HMAC generation will appear here

Recommended

SHA256:Industry Standard
SHA512:High Security
SHA3:Latest Standard

Legacy

SHA1:Deprecated
MD5:Avoid
Use only for backward compatibility

Use Cases

• API request authentication
• JWT token signing
• Webhook verification
• Data integrity checking
• Message authentication

HMAC Security Tips

  • Strong Keys: Use cryptographically random keys with sufficient length
  • Key Management: Store keys securely, rotate regularly, never hardcode
  • Algorithm Choice: Use SHA-256 or SHA-512 for new applications
  • Constant-Time Comparison: Always use constant-time comparison for verification
  • Include Timestamps: Add timestamps to prevent replay attacks

About HMAC (Hash-based Message Authentication Code)

HMAC is a cryptographic mechanism that combines a secret key with a hash function to provide message authentication and data integrity verification. It's widely used in API authentication, JWT tokens, and secure communication protocols.

  • Combines secret key with hash function for authentication
  • Provides both data integrity and authenticity verification
  • Resistant to length extension attacks (unlike simple keyed hashing)
  • Used in OAuth, JWT, API signatures, and SSL/TLS protocols
  • Supports multiple hash algorithms: SHA-256, SHA-512, MD5

HMAC vs Simple Hashing

HMAC Advantages

  • Authentication: Verifies message sender identity
  • Integrity: Detects message tampering
  • Secret Key: Only parties with key can generate/verify
  • Attack Resistant: Secure against length extension
  • Standardized: FIPS 198 and RFC 2104 compliant

Simple Hash Limitations

  • No Authentication: Anyone can compute hash
  • Vulnerable: Simple key concatenation is insecure
  • Length Extension: Attackers can extend messages
  • No Secret: Hash values can be computed by anyone
  • Limited Use: Only provides data integrity

Frequently Asked Questions

How to generate HMAC?

Enter your message and secret key into the utilAZ HMAC generator, choose an algorithm (SHA-256, SHA-512, etc.), and click Generate. The tool uses the Web Crypto API to compute the HMAC entirely in your browser, then displays the result in hex or Base64 format.

What is HMAC used for?

HMAC is used for API request authentication, webhook payload verification, JWT token signing, data integrity checks, and secure session management. It proves both that the message has not been tampered with and that it was sent by someone who holds the secret key.

Difference between HMAC and digital signature?

HMAC uses a shared symmetric secret key so both sender and receiver can generate and verify. Digital signatures use asymmetric keys where the private key signs and the public key verifies, providing non-repudiation. HMAC is faster; signatures prove identity to third parties.

How does HMAC work?

HMAC pads the secret key to the hash block size, XORs it with an inner pad (0x36), hashes that with the message to get an inner hash, then XORs the key with an outer pad (0x5C) and hashes the result with the inner hash. This double-hashing prevents length-extension attacks.

Is HMAC SHA-256 secure?

Yes, HMAC-SHA-256 is considered secure and is the recommended standard for most applications. Its security depends on key length (use at least 32 random bytes) and proper implementation with constant-time comparison to avoid timing attacks.

HMAC vs hash explained?

A plain hash (e.g. SHA-256) only provides integrity. Anyone can compute it because no secret is involved. HMAC combines a secret key with the hash, so only parties holding the key can generate or verify the code. This adds authentication on top of integrity.

HMAC Examples

HMAC-SHA256 Example:

Message:
"Hello, World!"
Secret Key:
"my-secret-key-123"
HMAC-SHA256:
4e99726...f8a2b1c
Length: 64 hex characters

HMAC Process:

1. Key Preparation
Pad/Hash: Adjust key to block size
XOR ipad: Key ⊕ 0x36 repeated
XOR opad: Key ⊕ 0x5C repeated
2. Inner Hash
Compute: H(K ⊕ ipad || message)
Result: Inner hash value
3. Outer Hash
Compute: H(K ⊕ opad || inner_hash)
Result: Final HMAC value

HMAC Implementation

Practical HMAC generation examples using native APIs and popular libraries:

JavaScript - Web Crypto API:

async function generateHMAC(message, secret, algo = 'SHA-256') { const enc = new TextEncoder(); const key = await crypto.subtle.importKey( 'raw', enc.encode(secret), { name: 'HMAC', hash: algo }, false, ['sign'] ); const sig = await crypto.subtle.sign('HMAC', key, enc.encode(message)); return [...new Uint8Array(sig)] .map(b => b.toString(16).padStart(2, '0')).join(''); } // Usage const hmac = await generateHMAC('Hello World', 'my-secret-key'); console.log(hmac); // 64-char hex string

Python - hmac module:

import hmac import hashlib message = b"Hello World" secret = b"my-secret-key" # Generate HMAC-SHA256 signature = hmac.new(secret, message, hashlib.sha256).hexdigest() # Verify HMAC (timing-safe comparison) expected = "known_hmac_value" is_valid = hmac.compare_digest(signature, expected)

Node.js - crypto module:

const crypto = require('crypto'); function generateHMAC(message, secret, algo = 'sha256') { return crypto.createHmac(algo, secret) .update(message).digest('hex'); } console.log(generateHMAC('Hello World', 'my-secret-key')); console.log(generateHMAC('Hello World', 'key', 'sha512'));

API Authentication with HMAC

Request Signing:

Method: POST /api/payments
Body: {"amount": 100, "currency": "USD"}
Timestamp: 1640995200
Signature Base: POST|/api/payments|body+timestamp
HMAC-SHA256: a1b2c3d4e5f6...
Header: Authorization: HMAC a1b2c3d4e5f6...

Verification Process:

1. Extract signature from Authorization header
2. Reconstruct signature base string
3. Generate HMAC with server's copy of key
4. Compare signatures using constant-time function
5. Check timestamp to prevent replay attacks
6. Allow/deny request based on verification

HMAC Security Best Practices

  • Strong Keys: Use cryptographically random keys with at least 32 bytes
  • Key Management: Store keys securely, rotate regularly, never hardcode
  • Algorithm Choice: Use SHA-256 or SHA-512, avoid MD5 and SHA-1
  • Constant-Time Comparison: Prevent timing attacks when verifying HMACs
  • Include Timestamps: Add timestamps to prevent replay attacks
  • Separate Keys: Use different keys for different purposes
  • Validate Input: Always validate message content before HMAC generation

Common Use Cases

  • API request authentication and authorization
  • JWT token signing and verification
  • Webhook payload verification
  • Message integrity in communications
  • Session token generation and validation
  • File integrity verification systems
  • OAuth signature generation
  • Database audit trail verification