ZeroData Tools
Tools
JSON Formatter Format and validate JSON instantly with no uploads, no server calls, and no stored data. JSON Validator Validate JSON instantly before deploys with local processing and zero server calls. YAML Validator Validate YAML files and catch indentation errors instantly with no uploads or backend processing. Base64 Encoder Encode or decode Base64 strings instantly with zero uploads. URL Encoder Encode and decode query parameters locally for APIs, redirects, and forms. HTML Formatter Pretty-print messy markup and inspect structure without exposing page code. CSS Minifier Shrink stylesheets for production with browser-only processing and instant output. JavaScript Beautifier Reformat dense JavaScript into readable code locally for debugging.

HMAC Generator & Verifier

Generate and verify HMAC signatures using the browser's native Web Crypto API. Supports SHA-256, SHA-384, SHA-512, and SHA-1 with hex and base64 output — 100% browser-based, zero uploads.

Advertisement
HMAC Generator & Verifier
Generate and verify HMAC signatures using Web Crypto API. SHA-256, SHA-384, SHA-512 — entirely in your browser.
Result
Quick Reference
HMAC = Hash(key + message) — keyed hash for authentication
SHA-256 — most common, used in JWT HS256, API signing
SHA-512 — longer output, higher security margin
SHA-1 — legacy only, avoid for new implementations

How ZeroData protects your privacy

  • No Uploads: Processing happens entirely via client-side JavaScript.
  • No Storage: We do not have a database. We physically cannot save your data.
  • No Tracking: We don't log what you process or track your inputs.
  • Verifiable: Check your DevTools Network tab. You will see 0 outbound requests.

HMAC vs Hashing: When to Use Each

Regular hash functions like SHA-256 verify integrity — the data hasn't been tampered with. But they don't prove authenticity — anyone can compute the same hash. HMAC solves this by incorporating a secret key into the hash computation. Only parties who know the key can generate or verify the HMAC, proving both that the data is intact and that it came from a trusted source.

Need to generate plain hashes instead? Use our Hash Generator for SHA-256, SHA-512, and MD5. For verifying bcrypt password hashes, try the Bcrypt Hash Verifier.

HMAC in JWT and API Signing

HMAC-SHA256 is the cryptographic primitive behind JWT HS256 tokens and most API request signing schemes (AWS Signature V4, Stripe webhook verification, GitHub webhook secrets). When you sign a JWT with HS256, the browser computes HMAC-SHA256(base64url(header) + "." + base64url(payload), secret). This tool uses the same crypto.subtle Web Crypto API, making it ideal for debugging JWT signatures during development.

To debug the full JWT token structure, use our JWT Debugger. To verify complete JWT signatures with key validation, try the JWT Signature Verifier.

Why Compute HMAC Locally

HMAC computation requires your secret key — the most sensitive credential in any authentication system. Entering your API signing key or JWT secret into an online tool sends it to a third-party server, potentially exposing every signed request or token. This tool runs entirely in your browser using the native Web Crypto API. No keys, messages, or signatures ever leave your device.

How to Use the HMAC Generator & Verifier

  1. Enter the message you want to sign in the Message field.
  2. Enter your secret key in the Secret Key field.
  3. Select the HMAC algorithm (SHA-256 recommended) and output encoding (hex or base64).
  4. Click Generate HMAC to compute the signature.
  5. Switch to Verify mode and paste an expected HMAC to check if it matches.

Common Use Cases

  • Generating HMAC-SHA256 signatures for API request authentication (AWS, Stripe, GitHub).
  • Verifying webhook signatures from services like GitHub, Stripe, and Twilio.
  • Testing JWT HS256 signatures during development and debugging.
  • Creating message authentication codes for secure inter-service communication.
  • Validating API response integrity using shared secret HMAC verification.
Advertisement

Frequently Asked Questions

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic construction that combines a hash function (like SHA-256) with a secret key to produce a message authentication code. Unlike plain hashing, HMAC proves both data integrity AND authenticity — only someone with the secret key can generate or verify the correct HMAC.

What is the difference between HMAC and regular hashing?

Regular hashing (SHA-256, MD5) produces the same output for the same input regardless of who computes it. HMAC adds a secret key to the process, so only parties who know the key can generate or verify the hash. This makes HMAC suitable for authentication (verifying who sent a message), while plain hashes only verify integrity (the data wasn't changed).

Which HMAC algorithm should I use?

Use HMAC-SHA256 for most applications — it is the standard for JWT signing (HS256), API request authentication (AWS Signature V4), and webhook verification (GitHub, Stripe). Use HMAC-SHA512 when you need a higher security margin. Avoid HMAC-SHA1 for new implementations as SHA-1 has known weaknesses, though HMAC-SHA1 remains safe for legacy compatibility.

How is HMAC used in JWT?

JWT tokens signed with the HS256 algorithm use HMAC-SHA256 internally. The JWT header and payload are Base64URL-encoded and concatenated with a dot, then HMAC-SHA256 is computed using the shared secret key. The result becomes the JWT signature. This tool uses the same Web Crypto API that browsers use for JWT verification.

Is this HMAC generator safe to use with real API keys?

Yes. This tool uses the browser's native Web Crypto API and runs 100% client-side. Your secret keys and messages are never sent to any server. You can verify this by checking the Network tab in your browser's DevTools — zero outbound requests.

Explore more ZeroData utilities

Related Tools

Hash Generator (Bcrypt/SHA)

Generate Bcrypt, SHA-256, and MD5 hashes locally. Never send passwords over the network.

JWT Generator

Create test JWT tokens with custom headers and payloads locally. Sign with HMAC-SHA256 using Web Crypto API.

Secret Scanner

Scan code and config files for leaked API keys, tokens, and secrets — entirely in your browser with zero uploads.

Bcrypt Hash Verifier

Verify bcrypt password hashes and generate new ones entirely in your browser. Your passwords never leave your machine.

JWT Signature Verifier

Verify JWT signatures locally using Web Crypto API. Supports HS256, RS256, and ES256. Your secrets never leave your browser.

© 2026 ZeroData Tools. All rights reserved.