HMAC-SHA256 Generator

What is HMAC-SHA256 Generator

Last reviewed: April 18, 2026

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash with a secret key to verify both the integrity and authenticity of a message.

HMAC-SHA256 Generator computes an RFC 2104 HMAC using the SHA-256 hash function and a shared secret, returning a 64-character hex digest.

HMAC-SHA256 is the workhorse of modern API signing: JWTs with HS256, Stripe, GitHub, Slack, and AWS SigV4 webhooks all depend on it, so being able to reproduce a signature quickly saves a lot of time in debugging.

Why use it

• Verify Stripe, GitHub, Slack, and other webhook signatures.
• Sign and validate JWTs that use the HS256 algorithm.
• Reproduce AWS-style request signatures and canonical headers.
• Generate reference vectors during cross-language HMAC testing.
• Avoid pushing debug payloads through OpenSSL for every signature check.

Features

• Instant HMAC-SHA256 hex output
• Matches OpenSSL, Node.js, Go, Python, and Rust implementations
• Ideal for JWT HS256 and API signature debugging
• Client-side signing — no upload
• Handles any UTF-8 payload and key

How to use HMAC-SHA256 Generator

1. Paste the canonical string. Drop the exact string-to-sign into the input panel.
2. Enter the shared secret. Paste the secret into the Secret field, matching your peer's key byte-for-byte.
3. Copy the signature. The 64-character hex digest appears instantly — copy it into your Authorization header or verifier.

Example (before/after)

message: api-request-body
key: sha256-api-key

e1c92d13d9de3b6b8b1d63bff2dda61e2f6ab6b48dde0a8842c8a7ec03cdb1ef

Common errors

FAQ

Related tools

Extend the HMAC-SHA256 workflow with JWT tools, webhook verifiers, and adjacent HMAC variants. You can also browse the full Cryptography & Hashing category for more options.