HMAC
Compute an HMAC signature of a file with your own secret key. Pairs with the hash tool — use HMAC when you also need authentication, not just integrity.
About HMAC
HMAC computes a keyed signature of any file using a secret you supply, over SHA-256, SHA-512, or SHA-1. Unlike a plain checksum, an HMAC proves both that the data is intact and that whoever produced it held the shared key — that's authentication, not just integrity. The whole computation happens in your browser, so your secret key never touches a server.
- Category
- inspect
- Input
- Accepts: */*.
- Output
- Outputs: application/json.
- Cost
- Free, runs in your browser
- Memory
- low
Common uses
- Generate the HMAC-SHA256 a webhook receiver expects, to test your endpoint locally
- Sign a build artifact with a team secret so downstream consumers can verify its origin
- Reproduce an API request signature to debug a 401 against a service that uses HMAC auth
- Authenticate a config file you're distributing, so tampering is detectable by anyone with the key
- Confirm a partner computed the same signature over a shared payload and key
- Produce a keyed digest for a message queue that requires authenticated messages
Frequently asked questions
How is HMAC different from a regular hash?
A plain hash only proves the bytes are unchanged. HMAC mixes in a secret key, so it also proves the signer knew that key — giving you authentication on top of integrity.
Which hash functions are available?
SHA-256, SHA-512, and SHA-1 as the underlying digest.
Does my secret key leave my device?
No. The HMAC is computed entirely in your browser; the key and the file are never uploaded.
What input can I sign?
Any file — the tool accepts all types and signs the raw bytes.
What does the output look like?
A JSON result containing the computed signature for inspection or copying.
Keywords
- hmac
- signature
- mac
- sha256
- sha512
- sha1
- authentication
- integrity
- sign