How to Generate HMAC Signatures: SHA-256, SHA-1, SHA-512
Learn how to generate and verify HMAC signatures for API requests, webhooks, and JWTs. Free in-browser tool.
What is an HMAC signature?
HMAC (Hash-based Message Authentication Code) is a way to verify both the integrity and authenticity of a message. It uses a cryptographic hash function (typically SHA-256) combined with a shared secret key to produce a unique signature for a given input. If even a single byte of the message changes, the signature changes too.
HMAC is widely used in API authentication, webhook verification, JWT signing, and secure communication protocols. Unlike a plain hash, HMAC requires a key, which means only parties who hold the secret can produce or verify the signature.
Common use cases
- Webhook verification: Confirming that an incoming request came from a known sender
- API request signing: Letting a server verify that a request was issued by a known client
- JWT signing: Producing the signature segment of a JSON Web Token
- File integrity: Detecting tampering in transit or storage
- OAuth 1.0a and AWS Signature V4: Classical and modern request signing schemes
Method 1: Use UtilBoxx's free HMAC generator (Recommended)
Our HMAC signature generator supports HMAC-SHA-256, HMAC-SHA-1, and HMAC-SHA-512, and produces hex or Base64 output. Here is how to use it:
- Go to utilboxx.com/en/tools/crypto/hmac
- Enter your message and secret key
- Choose the algorithm (SHA-256 is the default)
- Pick the output encoding (hex or Base64)
- Copy the generated signature with one click
Why this method works:
- Runs entirely in your browser β secrets never leave your device
- Supports the most common HMAC algorithms
- Live updates as you type
- Mobile-friendly
- 100% free, no signup, no ads
Method 2: Use OpenSSL on the command line
The `openssl` command is available on Linux, macOS, and Windows (with Git Bash or WSL):
```bash echo -n "message" | openssl dgst -sha256 -hmac "mysecretkey" ```
This produces a hex-encoded HMAC-SHA-256 signature. Replace `sha256` with `sha1` or `sha512` for other algorithms.
Method 3: Use a language library
In Node.js, the built-in `crypto` module handles HMAC:
```javascript const crypto = require('crypto'); const hmac = crypto.createHmac('sha256', 'mysecretkey'); hmac.update('message'); console.log(hmac.digest('hex')); ```
In Python:
```python import hmac, hashlib print(hmac.new(b"mysecretkey", b"message", hashlib.sha256).hexdigest()) ```
In Go:
```go package main import ("crypto/hmac"; "crypto/sha256"; "encoding/hex"; "fmt") func main() { mac := hmac.New(sha256.New, []byte("mysecretkey")) mac.Write([]byte("message")) fmt.Println(hex.EncodeToString(mac.Sum(nil))) } ```
Frequently asked questions
Is HMAC the same as a digital signature?
No. HMAC uses a shared secret, while a digital signature uses asymmetric cryptography (public/private key). HMAC is faster and simpler, but you must securely share the secret with all parties who need to verify the signature.
Which hash function should I use?
HMAC-SHA-256 is the modern default. It is widely supported, secure, and fast. HMAC-SHA-1 is considered legacy and is only used for compatibility with old systems. HMAC-SHA-512 offers higher security for very sensitive applications.
Can a HMAC signature be reversed?
No. The signature is a one-way function. An attacker cannot recover the message or the key from a signature, but they can verify guesses if they suspect the message. Use long, random keys to maximize security.
What happens if the key is leaked?
A leaked key allows attackers to forge valid signatures for any message, completely breaking the authentication. Treat HMAC keys like passwords: store them securely, rotate them regularly, and never commit them to source control.
Conclusion
HMAC is a foundational tool for secure APIs and message integrity. For a quick, in-browser generator, the UtilBoxx HMAC signature tool is the easiest way to compute and verify signatures.