HMAC Signature Generator & Calculator

• HMAC combines a secret key with a hash function for authentication
• Supports SHA-1, SHA-256, SHA-384, SHA-512, and MD5 algorithms
• Used by APIs (AWS, Stripe, GitHub) for request signing and webhook verification
• HMAC is more secure than plain hashing — it prevents length extension attacks
• Output is a fixed-length hex string regardless of input size

Use Cases

Frequently Asked Questions

What is the difference between HMAC and plain SHA-256 hashing?

Plain SHA-256 hashes only the message — anyone can compute it. HMAC-SHA256 requires a secret key, so only parties with the key can generate or verify the signature. HMAC also prevents length extension attacks.

How do I verify a Stripe webhook signature?

Use the Stripe webhook signing secret (whsec_...) as the key, the raw request body as the message, and HMAC-SHA256 with hex output. Compare with the signature in the Stripe-Signature header.

Why does my HMAC signature not match the expected value?

Common causes: using parsed JSON instead of raw body bytes, wrong encoding (UTF-8 vs ASCII), wrong algorithm (SHA-256 vs SHA-1), hex vs Base64 mismatch, or extra whitespace/newlines in the payload.

Which HMAC algorithm should I use?

HMAC-SHA256 is the standard for most modern APIs (Stripe, GitHub, Shopify). HMAC-SHA512 offers more bits but is slower. HMAC-SHA1 is legacy but still used by some older APIs. Avoid HMAC-MD5 for new implementations.

Is HMAC secure for API authentication?

Yes. HMAC is a proven, standardized mechanism for message authentication used in production by AWS, Stripe, GitHub, and thousands of APIs. Use a strong random secret key and always use constant-time comparison to prevent timing attacks.

Can I use HMAC for password hashing?

No. HMAC is fast by design — that's a feature for API authentication but a bug for password hashing. Use dedicated password hashing algorithms like bcrypt, argon2, or PBKDF2 that include deliberate computational slowness, salting, and protection against GPU brute-force. See our Bcrypt tool.

How do I verify a GitHub webhook signature?

Use HMAC-SHA256 with your GitHub webhook secret as the key and the raw request body as the message. GitHub sends the signature in the X-Hub-Signature-256 header as 'sha256=<hex>'. Strip the 'sha256=' prefix, then constant-time compare with your computed HMAC hex output.

What's the difference between hex and Base64 output?

Both encode the same raw HMAC bytes. Hex uses 0-9 a-f (64 chars for SHA-256); Base64 uses A-Z a-z 0-9 + / (44 chars for SHA-256). They look completely different and are not interchangeable — match the format your API expects. Stripe/GitHub use hex; Shopify/Twilio use Base64.

Does HMAC-SHA1 inherit SHA-1's broken status?

No, surprisingly. SHA-1 is broken for collision resistance, but HMAC's security relies on SHA-1 acting as a pseudorandom function — a different property that is NOT affected by collision attacks. HMAC-SHA1 remains cryptographically secure for message authentication. However, new systems should prefer HMAC-SHA256 for defense-in-depth and to retire SHA-1 entirely.

Why does my Stripe webhook signature work in test mode but fail in live mode?

You're almost certainly using your TEST webhook secret (whsec_test_...) to verify a LIVE webhook (or vice versa). Each Stripe webhook endpoint has its own signing secret per mode. In the Stripe dashboard, switch to live mode and copy the live secret. Also check that you've registered the endpoint URL in live mode — webhooks created in test mode don't carry over.

Is HMAC quantum-resistant?

HMAC with SHA-256 or SHA-512 is considered quantum-resistant in the same sense AES-256 is: Grover's algorithm provides only a square-root speedup, leaving HMAC-SHA-256 with ~128 bits of effective security against quantum attackers — still infeasible. The bigger quantum concern is asymmetric crypto (RSA, ECDSA) that Shor's algorithm breaks; HMAC is fine.