Is my key or message sent to a server?

No. All computation runs inside your browser using the native WebCrypto API. Your message and secret key never leave your device.

Which algorithm should I use?

SHA-256 is the most common and is suitable for the vast majority of use cases. SHA-384 and SHA-512 produce longer digests and are preferred when a higher security margin is required.

What is the difference between hex and Base64 output?

Hex encodes each byte as two lowercase hexadecimal characters. Base64 encodes three bytes as four ASCII characters, resulting in a shorter string — both represent the same digest.

Can I use this to verify a GitHub webhook signature?

Yes. Set the algorithm to SHA-256, paste your webhook secret as the key, paste the raw request body as the message, then compare the hex output (prefixed with "sha256=") to the X-Hub-Signature-256 header.

Why does my HMAC not match my backend?

Common causes: extra whitespace in the message or key, different encoding (UTF-8 vs Latin-1), or a different output format (hex vs Base64). Ensure both ends use identical inputs and the same format.

HMAC Calculator

Name: HMAC Calculator
Availability: InStock
Author: Nham Vu

Enter a message and secret key to instantly compute an HMAC digest using SHA-256, SHA-384, or SHA-512 — all in the browser with no data sent to any server.

Message

Secret Key

Algorithm

SHA-256 SHA-384 SHA-512

Output Format

Hexadecimal Base64

HMAC Digest HMAC-SHA-256 / Hex

Enter a message and key to compute the HMAC.

Digest lengths (hex chars)

Algorithm	Hex	Base64	Bits
HMAC-SHA-256	64	44	256
HMAC-SHA-384	96	64	384
HMAC-SHA-512	128	88	512

Summary

Enter a message and secret key to instantly compute an HMAC digest using SHA-256, SHA-384, or SHA-512 — all in the browser with no data sent to any server.

How it works

Enter the message you want to authenticate in the Message field.
Type your secret key in the Key field.
Select the hash algorithm: SHA-256, SHA-384, or SHA-512.
Choose the output format — hexadecimal or Base64.
The HMAC digest updates instantly using your browser's built-in WebCrypto API.
Click Copy to copy the result to your clipboard.

Use cases

Verify webhook signatures from payment providers or GitHub.
Generate API request signatures for REST or GraphQL services.
Test HMAC implementations during backend development.
Authenticate messages between microservices during debugging.
Validate that a secret key produces the expected digest for a known payload.
Check token integrity in JWT or custom token schemes.

Frequently Asked Questions

Last updated: 2026-07-01 · Reviewed by Nham Vu