Security
HMAC-SHA256 Generator
Uses crypto.subtle.sign. 100% Local.
Input
Enter a secret key and message to compute the signature.
Both key and message are processed locally in your browser.
HMAC-SHA256
Frequently Asked Questions
What is HMAC?
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a message authentication code. Unlike a plain hash, HMAC verifies both data integrity (the message was not altered) and authenticity (it came from someone with the secret key).
What is HMAC-SHA256 used for?
HMAC-SHA256 is used in JWT signatures (HS256 algorithm), API request signing (AWS Signature Version 4, Stripe webhooks), TOTP two-factor authentication (RFC 6238), and verifying webhook payloads to ensure they came from a trusted source.
Is HMAC the same as a digital signature?
Similar purpose, different mechanism. HMAC uses a shared secret key (symmetric) — both sender and receiver must have the same key. Digital signatures (RSA, ECDSA) use asymmetric key pairs — private key signs, public key verifies. HMAC is faster; digital signatures provide non-repudiation.