HMAC Generator
Generate an HMAC signature for server-signed payloads and integrations. Everything runs in your browser.
Click Generate to create an HMAC// This demo generates HMAC values in your browser. For production, generate signatures server-side and keep secrets out of client code.
Web Push Developer Tools
Free tools to help you get started with web push notifications.
Web Push Notification Service
Send web-push notifications without managing infrastructure. Easy setup with MagicBell.
Web Push Test for PWA & Websites
Test web-push notifications in your browser without any setup.
What is an HMAC?
HMAC (Hash-based Message Authentication Code) is a cryptographic signature that proves a payload has not been altered and comes from a trusted sender.
HMACs combine a secret key with your payload to produce a tamper-resistant signature. Use them to validate server-signed inbox sessions, secure webhook deliveries, and protect other server-to-server requests.
Shared Secret
Store the secret on your backend and use it to sign outbound payloads or validate inbound requests.
SHA-256 Signature
The output is a deterministic signature for a given payload and secret, making it easy to verify integrity across systems.
Why HMACs are Required
- Verifies that payloads are authentic and untampered
- Lets receivers reject requests with invalid signatures
- Provides a shared security layer without exposing credentials
Security Note: Keep your HMAC secret in server-side storage. Never expose it in client-side code or public repositories. The values here are generated client-side and never leave your browser.
Learn more about signing payloads
These resources cover authentication and integrity best practices for signed payloads.
SubtleCrypto
Reference documentation for the WebCrypto API used to generate HMAC signatures.