HMAC Generator
Compute an HMAC signature for server-signed payloads and integrations. Everything runs in your browser.
This demo generates HMAC values in your browser. For production, generate signatures server-side and keep secrets out of client code.
Web Push Developer Tools
Free tools to help you get started with web push notifications.
VAPID Keys for Push Notifications
Generate a secure VAPID key pair for web push notifications.
Web Push Test for PWA & Websites
Test web-push notifications in your browser without any setup.
What is an HMAC?
HMAC (Hash-based Message Authentication Code) is a cryptographic signature that proves a payload has not been altered and comes from a trusted sender.
HMACs combine a secret key with your payload to produce a tamper-resistant signature. Use them to validate server-signed inbox sessions, secure webhook deliveries, and protect other server-to-server requests.
Shared Secret
Store the secret on your backend and use it to sign outbound payloads or validate inbound requests.
SHA-256 Signature
The output is a deterministic signature for a given payload and secret, making it easy to verify integrity across systems.
Why HMACs are Required
- Verifies that payloads are authentic and untampered
- Lets receivers reject requests with invalid signatures
- Provides a shared security layer without exposing credentials
Security Note: Keep your HMAC secret in server-side storage. Never expose it in client-side code or public repositories. The values here are generated client-side and never leave your browser.
HMAC Questions
Common questions about HMAC signatures, verification, and use cases.
What is HMAC-SHA256?
HMAC-SHA256 combines a secret key with the SHA-256 hash function to produce a fixed-length signature. Because the signature depends on both the key and the message, a receiver who shares the same secret can verify that the payload has not been altered in transit.
How do I verify a webhook signature with HMAC?
Recompute the HMAC using the raw request body and your shared secret, then compare the result to the signature header sent by the provider. If they match, the payload is authentic. Most webhook providers include the signature in a header like X-Signature or X-Hub-Signature-256.
What is the difference between HMAC and a hash?
A plain hash like SHA-256 only proves data integrity. Anyone can recompute it because no secret is involved. HMAC adds a secret key, which means only parties that share the key can produce or verify the signature, providing both integrity and authentication.
Learn more about signing payloads
These resources cover webhooks, authentication, and integrity best practices.
What Is a Webhook?
Learn how webhooks deliver real-time event data and why HMAC signatures keep them secure.
Stripe Webhooks Guide
Step-by-step guide to verifying Stripe webhook signatures with HMAC-SHA256.