HMAC Generator
HMAC is a keyed message-authentication construction: it combines a hash function with a shared secret to prove that a message came from someone who knows the key. Donfig's HMAC tool supports SHA-1, SHA-256, SHA-384, and SHA-512 (all backed by the browser's native Web Crypto). Common use cases: signing webhook payloads (Stripe, GitHub, Slack), verifying JWT signatures (HMAC-SHA-256 = HS256), and authenticating API requests. Paste your message and key; the digest computes live.
JavaScript is required to use the live tool. Please enable JavaScript and reload.
Frequently asked
How is HMAC different from a plain hash?
Plain hashes (SHA-256, MD5) anyone can compute. HMAC requires the secret key — only people who know the key can produce the same output.
Which HMAC variant should I use?
HMAC-SHA-256 is the modern default; it's what JWT HS256 uses. SHA-512 if you need a longer digest. SHA-1 only for legacy compatibility (collisions exist but HMAC-SHA-1 is still safe in practice).
Should the key be hex or text?
Either works. Donfig encodes the key as UTF-8 bytes. For hex or base64-encoded keys, decode them first using the Tokens panel.