#️⃣

Generate HMAC

Generate HMAC signatures for message authentication using SHA-256/384/512.

POST 1 credit /v1/auth/hmac

curl -X POST "https://auth.toolkitapi.io/v1/auth/hmac" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "message": "Hello, World!",
    "key": "my-secret-key",
    "algorithm": "sha256"
  }'

import httpx

resp = httpx.post(
    "https://auth.toolkitapi.io/v1/auth/hmac",
    json={
    "message": "Hello, World!",
    "key": "my-secret-key",
    "algorithm": "sha256"
  },
)
print(resp.json())

const resp = await fetch("https://auth.toolkitapi.io/v1/auth/hmac", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    "message": "Hello, World!",
    "key": "my-secret-key",
    "algorithm": "sha256"
  }),
});
const data = await resp.json();
console.log(data);

# See curl example

Response 200 OK

{
  "hmac": "8a7a79421413ad53b34dc84e5a1a7e34085d237e9e78b9a5c41f72a74e832c5c",
  "algorithm": "sha256"
}

Try It Live

Description

Generate HMAC signatures for message authentication using SHA-256/384/512.

How to Use

1

1. Set the `message` field to the string you want to authenticate.

2

2. Provide your secret `key` — this should be a shared secret between the signer and verifier.

3

3. Optionally specify the `algorithm` (defaults to `sha256`).

4

4. Send a POST request and use the returned hex-encoded `hmac` value as the message signature.

About This Tool

The Generate HMAC endpoint creates a Hash-based Message Authentication Code (HMAC) for a given message using a secret key. HMAC provides both data integrity and authenticity — it proves that the message hasn't been altered and was created by someone who possesses the secret key.

Unlike plain hashing, HMAC incorporates a secret key into the computation, making it impossible for an attacker to forge a valid signature without knowing the key. This makes it ideal for webhook verification, API request signing, and secure token construction.

The endpoint supports SHA-256, SHA-384, and SHA-512 as the underlying hash algorithms, with SHA-256 as the default.

Why Use This Tool

Webhook signature verification — Sign outgoing webhooks so receivers can verify authenticity
API request signing — Add HMAC signatures to API calls for tamper-proof requests
Message authentication — Ensure messages haven't been modified in transit
Secure cookie signing — Sign session cookies to detect client-side tampering
Data integrity for queues — Sign messages before pushing to message queues

Frequently Asked Questions

How is HMAC different from a regular hash?

A regular hash only depends on the input data. HMAC combines the input with a secret key, so only parties who know the key can generate or verify the signature. This prevents forgery attacks.

What key length should I use?

Your key should be at least as long as the hash output (32 bytes for SHA-256). Shorter keys are padded internally, but longer keys provide better security margins.

Can I use this for webhook verification?

Yes. Generate an HMAC of the webhook payload with your secret, and include it in a header. The receiver computes the same HMAC and compares — use the `/auth/hmac-verify` endpoint for constant-time comparison.

Start using Generate HMAC now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs