HMAC Generator (SHA-256/384/512)

Compute a keyed HMAC over a message with your secret key, shown as hex and Base64, via the browser's native Web Crypto. The same construction the JWT verifier uses for HS256. Your key never leaves your browser.

Message

Secret key

HMAC runs locally via Web Crypto. Your message and key never leave your browser.

How HMAC is built

HMAC hashes the message twice. The key is XORed with a fixed inner pad before the first hash and with an outer pad before the second, and this two-pad construction is what prevents length-extension attacks. The key is first reduced to the hash's block size.

References

RFC 2104 - HMAC: Keyed-Hashing for Message Authentication
RFC 4231 - HMAC-SHA Identifiers and Test Vectors
FIPS 198-1 - The Keyed-Hash Message Authentication Code (HMAC)