Privacy: All processing happens in your browser via the Web Crypto API. Your secret key is never sent to our servers.
What Is HMAC?
HMAC (Hash-based Message Authentication Code) is a specific type of message authentication code involving a cryptographic hash function and a secret key. It provides both data integrity (the message hasn't changed) and authentication (the sender knows the secret key). The formula is: HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m)) where K is the key, H is the hash function, and opad/ipad are fixed padding constants.
Common HMAC Use Cases
API request signing — AWS, Stripe, GitHub webhooks, and many APIs use HMAC-SHA256 to sign requests, preventing tampering.
JWT signatures — HS256/HS384/HS512 tokens use HMAC to sign the token header and payload.
Webhook verification — When a third-party service sends your server a webhook, you verify it with HMAC to confirm it came from the expected sender.
Password-based key derivation — PBKDF2 uses HMAC internally as its pseudorandom function.
Choosing an Algorithm
HMAC-SHA256 — Best for most use cases. 256-bit output, widely supported, fast.
HMAC-SHA384 — Larger output (384 bits). Used in some compliance contexts.
HMAC-SHA512 — Maximum strength. Slower but provides 512-bit output.