CyberChef
Bookmarks

Hmac generator

Computes a hash-based message authentication code (HMAC) using a secret key and your favorite hashing function.

Plain text to compute the hash

Secret key

Hashing function

Output encoding

HMAC of your text

Usage Guide & Notes

How to Use
  1. Enter your message text in the plain text area
  2. Provide a strong secret key
  3. Select your hashing algorithm (SHA256 is recommended for most uses)
  4. Choose your preferred output encoding format
  5. The HMAC will be generated automatically
  6. Use the copy button to copy the result to your clipboard
What is HMAC?

HMAC (Hash-based Message Authentication Code) is a mechanism for calculating a message authentication code using a cryptographic hash function combined with a secret key. It simultaneously verifies both data integrity and authenticity.

HMAC security depends on:

  • The cryptographic strength of the underlying hash function
  • The length and entropy (randomness) of the secret key
  • The proper implementation of the HMAC algorithm

Unlike standard hashing, HMAC requires a shared secret key between the sender and receiver.

Security Considerations
  • Use a strong, random secret key with at least 32 bytes of entropy
  • While an empty key is allowed, it significantly reduces security - only use for testing
  • Choose SHA256 or stronger algorithms for security-sensitive applications
  • Avoid MD5 and SHA1 for new security implementations (they're cryptographically weak)
  • All computation happens locally in your browser - no data is transmitted
  • Keep your secret key secure - anyone with the key can generate or validate HMACs
  • For web APIs, consider adding timestamp and nonce values to prevent replay attacks
Common Use Cases
  • API Authentication: Verifying that API requests are authentic and unaltered
  • Message Integrity: Ensuring data hasn't been tampered with during transmission
  • Webhook Verification: Validating that webhook payloads come from trusted sources
  • Cookie/Token Security: Adding tamper-proof signatures to session tokens
  • File Integrity: Verifying downloaded files haven't been modified
  • Challenge-Response Systems: Creating one-time authentication challenges
HMAC vs Other Methods
  • HMAC vs Plain Hashing: HMAC adds a secret key, providing authentication in addition to integrity
  • HMAC vs Digital Signatures: HMAC uses symmetric keys (faster but requires secure key exchange), while digital signatures use asymmetric keys (slower but easier key distribution)
  • HMAC vs Encryption: HMAC verifies authenticity and integrity but doesn't hide the original message