Generate HMAC signatures with any hash function - the standard for API authentication and message integrity.
About
HMAC (Hash-based Message Authentication Code) is a standard construction for creating message authentication codes with a cryptographic hash function and a secret key, providing both data integrity and authenticity verification.
Specifications
Output SizeVariable
StandardFIPS 198-1
Standard Year2008
Origin RFC 2104 (HMAC)
Origin Year 1997
Use Cases
—API request signing and authentication
—JWT (JSON Web Token) signatures
—Webhook payload verification
—TLS/SSL session authentication
—Software update integrity checks
Frequently Asked Questions
Use SHA-256 for most applications. SHA-512 is fine for high-security needs. Avoid SHA-1 (deprecated) and MD5 (broken). HMAC-SHA256 is the most widely supported and secure choice for API authentication, JWT signatures, and message integrity.
HMAC internally hashes keys longer than the block size, so exact length matching isn't required. However, for best security, use a key with entropy at least equal to the hash output length (256 bits for HMAC-SHA256). Randomly generated 256-bit keys are ideal.
Never use simple secret prefix (H(key||message)) as it is vulnerable to length extension attacks. Always use HMAC which is specifically designed to be secure against such attacks. HMAC also handles key length normalization properly.