Question 1

What is HMAC?

Accepted Answer

HMAC (Hash-based Message Authentication Code) is a mechanism for calculating a message authentication code using a cryptographic hash function combined with a secret key. It provides both data integrity and authentication.

Question 2

What hash algorithms are supported?

Accepted Answer

This tool supports HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512. SHA-256 produces a 64-character hex digest, SHA-384 produces 96 characters, and SHA-512 produces 128 characters. SHA-256 is the most commonly used.

Question 3

How is HMAC different from a plain hash?

Accepted Answer

A plain hash (e.g., SHA-256 of a message) can be computed by anyone. HMAC requires a secret key, so only parties who possess the key can generate or verify the code. This makes HMAC suitable for verifying both the integrity and authenticity of a message.

Question 4

Where is HMAC used in practice?

Accepted Answer

HMAC is used in API authentication (e.g., AWS Signature V4), JWT signing (HS256/HS384/HS512), webhook verification (GitHub, Stripe), and secure cookie signing. It is one of the most widely deployed authentication primitives.

Question 5

Is it safe to compute HMAC in the browser?

Accepted Answer

Yes. This tool uses the Web Crypto API (crypto.subtle), which runs natively in the browser with no external dependencies. Your secret key and message never leave your device.

HMAC Generator

Frequently Asked Questions