HMAC Generator & Verifier
Compute HMAC-SHA-256, HMAC-SHA-1 or HMAC-SHA-512 signatures with any secret key, get hex and Base64 output, and verify webhook signatures (GitHub, Stripe). Keys and messages never leave your browser.
Webhook signature helpers
Most webhook providers sign the raw request body with a shared secret so you can prove the payload really came from them. Two common formats:
X-Hub-Signature-256
GitHub sends X-Hub-Signature-256: sha256=<hex>, where the hex value is the HMAC-SHA-256 of the exact raw request body using your webhook secret as the key. To verify: compute the HMAC over the unmodified body bytes, prefix with sha256=, and compare with a constant-time comparison. The example uses GitHub's documented test vector (secret It's a Secret to Everybody, body Hello, World!).
Stripe-Signature
Stripe sends Stripe-Signature: t=<timestamp>,v1=<hex>. The signed payload is <timestamp>.<raw body> — the Unix timestamp, a literal dot, then the raw body — signed with HMAC-SHA-256 using your endpoint's signing secret (whsec_…). Build that payload here:
About this tool
HMAC (hash-based message authentication code) combines a cryptographic hash with a secret key, proving both the integrity of a message (it wasn't altered) and its authenticity (it was produced by someone holding the key). It's the standard way services sign webhooks and API requests — GitHub, Stripe, Slack, Shopify and many others all use HMAC-SHA-256 over the raw request body.
Signatures are computed with the browser's native WebCrypto API (crypto.subtle.importKey + crypto.subtle.sign) — the same primitives your backend uses, so results match Node.js, Python and OpenSSL exactly.
Your secrets never leave the page — there is no server, no upload, and no tracking of tool inputs. Everything runs locally in your browser.