HMAC Generator

Q: Why does Stripe's HMAC include a timestamp in the message?

Stripe's webhook signature scheme signs timestamp + "." + payload rather than just the payload. The timestamp prevents replay attacks — an attacker who intercepts a valid webhook payload can't resend it later, because Stripe requires the timestamp to be within 5 minutes of the current time. Always include timestamp validation in your webhook handler, not just HMAC verification.

Generate HMAC-SHA256, HMAC-SHA1, and HMAC-MD5 signatures for webhook verification, API authentication, and message integrity checks. Runs entirely in your browser.

Generate HMAC Signatures Online

Enter a secret key and message to compute an HMAC signature. Used to verify Stripe webhooks, GitHub webhook payloads, Shopify HMAC headers, and any API that signs requests with a shared secret.

HMAC-SHA256: The standard for modern webhook and API signing
HMAC-SHA1: Legacy support — GitHub webhooks use this by default
HMAC-MD5: For systems still using older signing schemes
Hex and Base64 output: Choose the encoding your API expects

Generate HMAC Signature →

Common HMAC Use Cases

Stripe webhooks: Stripe signs every event with HMAC-SHA256 using your webhook signing secret — compute HMAC-SHA256(secret, "timestamp.payload") and compare to the Stripe-Signature header
GitHub webhooks: Payloads are signed with HMAC-SHA256(secret, body) — the signature appears in the X-Hub-Signature-256 header
Shopify: Verifies webhook authenticity using HMAC-SHA256(secret, body) encoded as Base64
AWS Signature V4: Uses HMAC-SHA256 as a building block for request signing — derive signing keys via chained HMAC operations
JWT HS256: JWT tokens using the HS256 algorithm are signed with HMAC-SHA256

HMAC in Code

Node.js: crypto.createHmac('sha256', secret).update(message).digest('hex')
Python: hmac.new(secret.encode(), message.encode(), hashlib.sha256).hexdigest()
Go: mac := hmac.New(sha256.New, []byte(secret)); mac.Write([]byte(message)); hex.EncodeToString(mac.Sum(nil))
PHP: hash_hmac('sha256', $message, $secret)
Ruby: OpenSSL::HMAC.hexdigest('SHA256', secret, message)

Frequently Asked Questions

What is HMAC and how is it different from a plain hash?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key: HMAC(key, message) = Hash((key XOR opad) || Hash((key XOR ipad) || message)). A plain hash (SHA-256) verifies integrity — anyone can compute it. HMAC verifies both integrity and authenticity — only someone who knows the secret key can produce a valid signature. This makes HMAC suitable for API authentication and webhook verification, where you need to confirm the sender knows the shared secret.

Is it safe to use this tool with my real webhook secret?

The HMAC computation runs entirely in your browser using the Web Crypto API — your secret key is never transmitted to any server. You can verify this by opening browser DevTools (F12 → Network tab) and confirming no outbound requests are made when you click generate. That said, for production secret management, generate and verify HMAC signatures in your application code rather than manually — this tool is intended for debugging and verification during development.

Why does Stripe's HMAC include a timestamp in the message?

Stripe's webhook signature scheme signs timestamp + "." + payload rather than just the payload. The timestamp prevents replay attacks — an attacker who intercepts a valid webhook payload can't resend it later, because Stripe requires the timestamp to be within 5 minutes of the current time. Always include timestamp validation in your webhook handler, not just HMAC verification.