Generate and verify HMAC-SHA-256, SHA-512, SHA-384 & SHA-1 signatures using the Web Crypto API — 100% client-side.
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key: HMAC(K, m) = H((K⊕opad) ∥ H((K⊕ipad) ∥ m)). Unlike a plain hash, it provides both integrity and authenticity — only someone with the key can produce or verify the signature.
GitHub, Stripe, Shopify and most major APIs use HMAC-SHA-256 to sign webhook payloads. The platform signs the raw request body with a shared secret and sends the result in a header like X-Hub-Signature-256. Your server recomputes the HMAC and compares.
JSON Web Tokens use HMAC-SHA-256 (HS256) to sign the header + payload. The signature is computed over base64url(header) + "." + base64url(payload) with a secret key, then appended as the third JWT segment. This tool lets you reproduce that signature manually.
This tool uses crypto.subtle.verify() for signature verification, which performs constant-time comparison internally — preventing timing side-channel attacks that could leak whether signatures partially match. Never use string equality (===) to compare HMACs in production.