QuickTooly

Free HMAC Generator & Webhook Signature Verifier

Generate HMAC signatures instantly using SHA-1, SHA-256, or SHA-512. Verify webhook signatures from Stripe, GitHub, Shopify, and more — 100% private, processed in your browser.

Related Developer Tools

JWT DecoderQR Code GeneratorUUID GeneratorJSON Compare

Last updated: May 21 2026

Reviewed by the QuickTooly Team

HMAC Generator Guide

Why Use QuickTooly's HMAC Generator?

  • Instant generation: Compute HMAC signatures for SHA-1, SHA-256, and SHA-512 in milliseconds.
  • 100% private: All cryptographic operations run in your browser using native SubtleCrypto — your message and secret key never leave your device.
  • Webhook verifier built-in: Paste an expected signature from Stripe, GitHub, or Shopify and instantly confirm whether it matches.
  • Hex & Base64 output: Get results in both formats to match any API or platform requirement.
  • No dependencies: Built on the browser's native Web Crypto API — no third-party libraries required.
  • 100% free: No sign-up, no limits, no watermarks.

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a secret key with a hash function (SHA-256, SHA-512, etc.) to produce a signature. Unlike a plain hash, an HMAC cannot be forged without the secret key — making it the standard for verifying that a message was sent by a trusted source and has not been tampered with.

HMAC is widely used in API authentication, webhook signature verification, session tokens, and data integrity checks. When Stripe, GitHub, or Shopify sends a webhook event, they sign the request body with HMAC-SHA256 using a shared secret. Your server recomputes the same signature and compares — if they match, the request is authentic.

Webhook Signature Formats by Provider

Different platforms format their webhook signatures slightly differently. Here's how to extract the raw signature for verification:

  • StripeStripe-Signature header, format: t=timestamp,v1=hex_signature. Use the v1= value and sign timestamp.payload
  • GitHubX-Hub-Signature-256 header, format: sha256=hex_signature. Paste the full value — the verifier strips the prefix automatically.
  • ShopifyX-Shopify-Hmac-Sha256 header, value is Base64-encoded SHA-256 HMAC
  • TwilioX-Twilio-Signature header, Base64-encoded SHA-1 HMAC
  • SlackX-Slack-Signature header, format: v0=hex_signature, sign v0:timestamp:payload

How to Use This HMAC Generator

  • Select an algorithm — SHA-256 is the most common choice for modern APIs
  • Enter your message — paste the raw request body or any text you want to sign
  • Enter your secret key — the shared secret from your webhook configuration
  • Click Generate HMAC — results appear in both hex and Base64 formats
  • Verify a signature — paste the expected signature from your provider to confirm a match

HMAC vs Plain Hash

A plain hash (like SHA-256 alone) verifies data integrity but not authenticity — anyone can compute it. HMAC adds a secret key, so only parties who know the key can generate or verify the signature. This makes HMAC suitable for authentication, while plain hashes are better for checksums and deduplication.

Frequently Asked Questions

Which algorithm should I use — SHA-1, SHA-256, or SHA-512?

Use SHA-256 for most modern APIs — it's the current standard for webhook signatures (Stripe, GitHub, Shopify). SHA-512 provides a larger output and slightly more security margin for future-proofing. SHA-1 is only needed for legacy systems (e.g. older Twilio webhooks) and is considered weak for new applications.

Is my secret key safe when I use this tool?

Yes. The HMAC computation runs entirely in your browser using the native Web Crypto API (SubtleCrypto). Your message and secret key are never sent to any server, stored in a database, or logged anywhere. The tool works fully client-side once the page loads.

Why does the webhook verifier show "no match" even though I think the key is correct?

The most common causes are: (1) the message payload includes extra whitespace or a trailing newline, (2) the provider signs a composite string (e.g. Stripe signs timestamp.payload), (3) the expected signature includes a prefix like sha256= that you need to strip before pasting (our verifier strips common prefixes automatically), or (4) you're using the wrong algorithm.

What is the difference between hex and Base64 HMAC output?

Both represent the same binary signature — they differ only in encoding. Hex uses 0–9 and a–f characters and is more human-readable for debugging. Base64 is more compact and is preferred by some providers (Shopify, Twilio). Check your provider's documentation to see which format they use.

Can I use this to generate HMAC for API authentication headers?

Yes. Enter the string your API requires you to sign (often a combination of HTTP method, path, timestamp, and body) and your API secret key. Copy the hex or Base64 result and include it in the appropriate header, such as Authorization: HMAC-SHA256 signature=....

Does HMAC protect against replay attacks?

HMAC alone does not prevent replay attacks — it only verifies authenticity and integrity. To guard against replays, providers like Stripe and Slack include a timestamp in the signed payload and reject requests older than a few minutes. Always validate the timestamp on your server in addition to the HMAC signature.