HMAC Generator & Verifier
Generate, compare, and debug HMAC signatures locally
Safety note: Avoid pasting production secrets. HMAC work stays in your browser and is never sent to a server.
What Is an HMAC?
HMAC combines a shared secret with a hash function to create a message authentication code. It proves integrity and shared-secret knowledge. It does not encrypt the message body.
Generate or Verify an HMAC
- Paste the exact message bytes and shared secret.
- Select the correct HMAC algorithm and output encoding.
- Use Generate to reproduce a signature or Verify to compare an expected value.
- Check the mismatch notes for newline, whitespace, and copy/paste drift.
Known-Good Test Vector
The built-in RFC 4231 sample uses the secret Jefe and message what do ya want for nothing?. If that sample fails, the issue is in the local workflow, not your integration payload.
Common Mismatch Causes
- Comparing hex output against a Base64 or Base64URL signature.
- Hidden newlines, CRLF line endings, or trailing spaces in the message.
- Signing parsed JSON instead of the raw bytes that were transmitted.
- Using HMAC as if it were encryption instead of integrity verification.
FAQ
Is HMAC encryption?
No. HMAC checks integrity and authenticity. It does not hide the message.
Which output encoding should I use?
Match the signature format from the system you are debugging: hex, Base64, or Base64URL.
Do you store my secret?
No. Everything runs locally in your browser.