HMAC Generator

Generate Hash-based Message Authentication Codes with multiple algorithms and output formats

Message to authenticate:

Secret Key:

Algorithm

Hash function:

Output Format

Format:

HMAC Result

How It Works

Code Examples

HMAC Hash

About HMAC

HMAC (Hash-based Message Authentication Code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key.

Key Features

Message Authentication: Verifies both the data integrity and authenticity of a message
Secret Key: Uses a shared secret key for generating and verifying the MAC
Cryptographic Hash: Applies a hash function (like SHA-256) to the message and key
Security: Resistant to various cryptographic attacks when used with secure hash functions

Algorithm Security Levels

Recommended: SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-384, SHA3-512, BLAKE2b
Legacy/Deprecated: SHA-1, MD5, RIPEMD-160

When to Use HMAC

API request authentication
Secure message transmission
Data integrity verification
Session token generation
Password storage (with proper key management)

HMAC Implementation Examples

JavaScript (Web Crypto API)

                    async function generateHMAC(message, secretKey, algorithm = 'SHA-256') {
  const encoder = new TextEncoder();
  const key = await crypto.subtle.importKey(
    'raw',
    encoder.encode(secretKey),
    { name: 'HMAC', hash: algorithm },
    false,
    ['sign']
  );
  
  const signature = await crypto.subtle.sign(
    'HMAC',
    key,
    encoder.encode(message)
  );
  
  // Convert to hex
  const hashArray = Array.from(new Uint8Array(signature));
  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}
                

Python

                    import hmac
import hashlib

def generate_hmac(message, secret_key, algorithm='sha256'):
    algo_map = {
        'sha256': hashlib.sha256,
        'sha512': hashlib.sha512,
        'sha3_256': hashlib.sha3_256,
        'blake2b': lambda: hashlib.blake2b(digest_size=64)
    }
    
    hash_func = algo_map.get(algorithm.lower(), hashlib.sha256)
    return hmac.new(
        secret_key.encode('utf-8'),
        message.encode('utf-8'),
        hash_func
    ).hexdigest()
                

PHP

                    function generate_hmac($message, $secret_key, $algorithm = 'sha256') {
    $algo_map = [
        'sha256' => 'sha256',
        'sha512' => 'sha512',
        'sha3-256' => 'sha3-256',
        'blake2b' => 'blake2b'
    ];
    
    $algo = $algo_map[$algorithm] ?? 'sha256';
    return hash_hmac($algo, $message, $secret_key);
}
                

Security Considerations

Key Management: Keep your secret keys secure and never expose them in client-side code
Algorithm Choice: Prefer SHA-256 or SHA-3 family over older algorithms for security
Message Integrity: HMAC verifies both authenticity and integrity - any change to message or key changes the hash
Key Length: Use keys with sufficient entropy (at least as long as the hash output)
Deprecated Algorithms: Avoid MD5 and SHA-1 for security-sensitive applications

Common Use Cases

API Authentication: Sign API requests to verify they haven't been tampered with
Session Tokens: Create secure session tokens that can be verified by your server
Webhook Verification: Verify incoming webhooks are from the expected sender
Data Integrity: Ensure data hasn't been altered in transit or storage
Password Storage: As part of a key derivation function (with proper salting)