Online HMAC-SHA256 Generator
HMAC-SHA256 produces a message authentication code (MAC) using the SHA-256 hash function and a secret key. Enter the message in the Input field and the key under "More settings", then click the button. Everything runs on your device.
Everything runs in your browser. Your data is never sent to our servers.
Example
Example Input
Message: hello world • Key: secret
Example Output
734cc62f32841568f45715aeb9f4d7891324e6d948e4c6c60c0621cdac48623a
How to Use
- 1Enter the message you want to authenticate in the Input field.
- 2Open "More settings" and fill in the Secret key (required).
- 3Click the Generate Hash button (or press Ctrl+Enter) to compute the HMAC-SHA256.
- 4The MAC result appears in the Output field. Click Copy to copy it.
About HMAC-SHA256
HMAC-SHA256 is the HMAC construction (RFC 2104) built on top of the SHA-256 hash function. HMAC combines a message with a secret key through two hashing stages to produce a message authentication code (MAC) that is 256 bits long.
How it works: HMAC computes H((key ⊕ opad) ∥ H((key ⊕ ipad) ∥ message)), where ipad and opad are padding constants. This two-layer structure protects against length-extension attacks and mixes the key securely.
HMAC-SHA256 is widely used for API verification (e.g. request signing), tokens (like the JWT HS-series), webhooks, and message integrity. Its security depends on keeping the key secret and the strength of SHA-256.
FAQ
What is HMAC-SHA256?
HMAC-SHA256 is an HMAC (Hash-based Message Authentication Code) that uses the hash function in its name together with a secret key. It verifies both the authenticity (created by the key holder) and integrity (unaltered) of a message.
Why does HMAC need a key?
Without a key, a plain hash only proves integrity, not authenticity — anyone can recompute it. The secret key ensures only parties holding the key can produce a valid MAC.
Is my data sent to a server?
No. HMAC-SHA256 is computed entirely in your browser. Your message and key never leave your device.