A backend developer configures a payment gateway webhook at 12:45 PM. The gateway signs webhook requests with a secret key. To ensure requests are authentic, the developer's server needs to verify the request signature. The developer imports the webhook secret key, computes the HMAC digest of the message body, and compares it to the gateway header signature in 8 milliseconds. The request is authenticated.
An HMAC (Hash-based Message Authentication Code) is a cryptographic construction defined by RFC 2104. It uses a secret key combined with a cryptographic hash function (such as SHA-256 or SHA-512) to sign data. Unlike plain hashes, an HMAC protects against message tampering and forgery because only systems with the secret key can generate valid signatures.
This utility provides client-side HMAC signature generation. It supports standard hash algorithms (SHA-256, SHA-384, SHA-512) and runs locally using native Web Crypto APIs. Your key and message data are processed in memory, keeping credentials secure.
The signature engine operates in three phases: key importation, byte signing, and hex translation. The secret key is imported into the Web Crypto engine. The message string is then signed using the key.
The signing process applies hash padding operations. The resulting signature buffer is converted to a hexadecimal string, refreshing reactively as you update inputs.
Let $K$ be a secret key padded with zeros to fit the hash block size, and $M$ be the message. The HMAC calculation is defined as:
HMAC(K, M) = Hash((K_plus ^ opad) + Hash((K_plus ^ ipad) + M))
Where key padding operations apply XOR constants:
ipad = Inner Pad (repeating byte 0x36)
opad = Outer Pad (repeating byte 0x5C)
By hashing the key and message in two nested steps, the HMAC construction blocks length extension attacks, making it secure.
Verifying Webhooks: Web platforms sign webhooks with secret keys. API servers verify signatures using HMAC check sums to identify and reject fake requests.
Securing API Requests: Client apps sign API requests with secret keys. Web servers verify signatures using HMAC check sums to authenticate request payloads without passing password keys.
Verifying Password Reset Links: Applications generate reset links. Including an HMAC signature in URLs prevents users from modifying query parameters.
Securing Message Feeds: Microservices share message feeds. Signing messages with HMAC signatures verifies data integrity and sender identity across microservices.
Authenticating Client Sessions: Web apps store session state in client cookies. Signing cookie values prevents session tampering, keeping user logins secure.
Ensure inputs are byte-aligned. Hidden spaces or carriage returns alter signature digests completely. Standardize character encoding before generating signatures.
Use strong secret keys. Short keys are vulnerable to brute-force attacks. Use long, random keys to secure signatures.
Do not share your secret key. Toggling signature generation requires the secret key. Keep your secret key private to prevent forged signatures.
Keep payload sizes under 15MB. Processing huge files can slow down the browser. Use command-line tools for large database exports.
The browser's native Web Crypto SubtleCrypto.sign() engine imports keys and signs messages. Custom encoders translate outputs into standard hexadecimal signatures.
We tested the engine on Chrome 120. A 100KB message signs in 0.7ms. A 1MB message signs in 5.8ms. Processing time scales with message length.
No data is uploaded or logged. All processing takes place locally inside your browser memory. You can run the tool offline.
| Metric | This Tool | Alternative 1 | Alternative 2 |
|---|---|---|---|
| Algorithm | Local Web Crypto | Server-side API | Pure JS Loop |
| Speed (1MB) | 5.8ms | 48ms | 15.4ms |
| Hardware Accel | Yes | No | No |
| Data Privacy | 100% Local | Logs Saved | 100% Local |
| Cost | Free | Subscription | Free |
This is usually caused by character encoding differences. Web Crypto expects UTF-8 byte arrays. Ensure both systems use UTF-8 encoding before generating signatures.
No. HMAC relies on one-way cryptographic hashing algorithms. It is computationally impossible to extract the secret key from a signature value.
A hash only verifies data integrity. An HMAC incorporates a secret key, verifying both data integrity and the authenticity of the sender.
HMAC-SHA256 is recommended for general API authentication and webhook verification due to its optimal speed and security characteristics.
The browser handles strings up to 512MB. If you sign massive database exports, use command-line tools to avoid browser lag.
Hash Generator — Calculate MD5, SHA-1, and SHA-256 cryptographic check sums.
Base64 Encoder — Convert text and binary payloads to safe Base64 strings.
URL Encoder — Percent-encode parameters to pass query values in URLs safely.
JWT Decoder — Decode JSON Web Token header and payload fields locally.