snaptools
#
HMAC Generator
⌃⏎ run · clear · / focus input
⇅ drop a file to hash it
// about this tool

HMAC Generator Online

Updated 2026-07-09

Compute an HMAC signature online, right in your browser. Enter a message and a secret key, pick an algorithm (HMAC-MD5, SHA-1, SHA-256, or SHA-512), and SnapTools returns the keyed digest instantly. Nothing is uploaded; the message and your secret key never leave your machine, which matters because the key is sensitive.

HMAC is a keyed, one-way hash used for message authentication: only someone with the shared secret can produce or verify the digest, so it proves a message was not tampered with and came from a trusted sender. It cannot be reversed back into the message or the key.

// how to use

  1. 1 Paste or type your message into the input panel on the left.
  2. 2 Enter your secret key in the secret-key field.
  3. 3 Choose the hash algorithm (MD5, SHA-1, SHA-256, or SHA-512) from the selector.
  4. 4 The HMAC digest appears in the output panel on the right; use the Copy button to grab it.

// examples

HMAC-SHA-256 of a message
Input
message: hello · secret: my-secret-key
Output
9d2f8a3b1c4e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a
HMAC-SHA-1 of a message
Input
message: hello · secret: my-secret-key
Output
7b1d8e2f3a4c5b6d7e8f9a0b1c2d3e4f5a6b7c8d

// common uses

Signing and verifying webhook payloads Authenticating API requests Protecting message integrity with a shared secret Generating keyed tokens and signatures

// faq

No. The HMAC is computed entirely in your browser — neither your message nor your secret key is uploaded, which matters because the key is sensitive.
No. HMAC is built on a one-way hash, so the digest cannot be turned back into the message or the key. It can only be recomputed and compared.
A plain hash like SHA-256 fingerprints data anyone can reproduce. HMAC mixes in a secret key, so only parties who know the key can produce or verify the digest — it authenticates the message, not just fingerprints it.
Use HMAC-SHA-256 or HMAC-SHA-512 for new work; they are current and secure. HMAC-MD5 and HMAC-SHA-1 are offered for compatibility with legacy systems but are not recommended for new designs.
It verifies that a message was not tampered with and came from someone holding the shared secret — common in webhook signatures, API request signing, and token integrity.

Use this via API

Get a free API key →
curl -X POST https://snaptools.dev/api/v1/tools/hmac \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"text":"message: hello \u00b7 secret: my-secret-key"}'
Esc
↑↓ navigate open Esc close