HMAC Generator
Sign data with a secret key using HMAC-SHA1/256/384/512. Generate signatures for webhooks & APIs, or verify a signature against a payload. Uses native Web Crypto — your data never leaves your browser.
0 B
—
Enter key, message, and a signature to verify.
📌 Usage notes & common pitfalls
- Webhook signatures (e.g. Stripe): algorithm
SHA-256, message = raw request body, key = signing secret, output = hex. - GitHub webhooks:
sha256=prefix on the signature. Strip the prefix before comparing. - Binary payloads: check Input is hex and paste the raw hex of the bytes.
- Key encoding: the key is treated as UTF-8 text. If you have a hex key, convert it first.
- Comparison in Verify mode is constant-time, but timing-safe at rest — this is a debugging aid, not for production verification.