Skip to content

HMAC Generator

HMAC SignatureSHA-256 · hex
Enter a message above to generate its HMAC.

Webhook Signature Helper

Reproduce the exact signature header a provider sends so you can verify or replay webhooks.

HMAC-SHA256 of the raw request body, hex, prefixed with sha256=.

X-Hub-Signature-256
Enter a message above to build the header.

Everything runs in your browser with the Web Crypto API. Your message and secret never leave this page.

What This Tool Does

HMAC Generator is built for deterministic developer and agent workflows.

Compute an HMAC for any message and key (SHA-1/256/384/512) and build webhook signatures in GitHub, Stripe, and Slack formats.

Use How to Use for execution steps and FAQ for constraints, policies, and edge cases.

Last updated:

This tool is provided as-is for convenience. Output should be verified before use in any production or critical context.

Agent Invocation

Best Path For Builders

Browser workflow

Runs instantly in the browser with private local processing and copy/export-ready output.

Browser Workflow

This tool is optimized for instant in-browser execution with local data handling. Run it here and copy/export the output directly.

/hmac-generator/

For automation planning, fetch the canonical contract at /api/tool/hmac-generator.json.

How to Use HMAC Generator

  1. 1

    Enter your message

    Paste the payload or raw request body you want to authenticate into the message box.

  2. 2

    Add the secret key

    Type the shared secret both sides agree on. It is combined with the message to produce the signature.

  3. 3

    Pick algorithm and encoding

    Choose SHA-256 or another hash, then hex or base64 to match what your server expects.

  4. 4

    Use the webhook helper

    Select GitHub, Stripe, or Slack to get the exact signed header string, including timestamp handling where required.

  5. 5

    Copy the result

    Copy the signature or the full header and compare it against the incoming request to confirm authenticity.

Frequently Asked Questions

What is an HMAC?
An HMAC is a keyed hash that proves a message came from someone holding the shared secret and was not altered in transit. It mixes your secret key with the payload using a hash such as SHA-256.
How do I verify a GitHub or Stripe webhook signature?
Pick the provider in the webhook helper, paste the raw request body as the message, and enter your signing secret. The tool reproduces the exact signature header so you can compare it to the one the provider sent.
Which hash algorithm should I use?
SHA-256 is the default for almost every webhook and modern API. SHA-384 and SHA-512 add digest length; SHA-1 exists only for legacy systems and should be avoided for new work.
Is my secret or message sent anywhere?
No. The HMAC is computed locally with the browser's Web Crypto API, so your message and secret never leave the tab or touch a server.
What is the difference between hex and base64 output?
It is the same signature in two text encodings. GitHub, Stripe, and Slack expect hex; some APIs expect base64. Switch the encoding to match what your server compares against.