Sign a message with a secret key to produce an HMAC, the keyed hash used to verify webhook payloads and API requests. Everything runs in your browser and updates as you type.
An HMAC is a keyed hash. Instead of hashing a message on its own, you mix in a secret key that both sides share, so the output proves two things at once: the message wasn't tampered with, and it came from someone who holds the key. Plain hashes can't do that second part - anyone can recompute a SHA-256, but only someone with the secret can produce a matching HMAC. The algorithm name tells you the underlying hash, so HMAC-SHA256 is an HMAC built on SHA-256.
Enter your secret key and the message you want to sign, then pick the hash algorithm. The HMAC updates as you type. Switch the output between hex and Base64 depending on what the other system expects, and copy the result with one click.
Verifying webhook payloads from Stripe, GitHub, Slack, or Shopify, which sign each request so you can confirm it really came from them. Signing your own API requests. Building or debugging request-signing schemes. Checking that a value you received matches the HMAC you expected before trusting it.