Cryptography Utilities

HMAC Signature Generator

Calculate Hash-based Message Authentication Codes (HMAC) to securely verify API requests and webhooks. Keys and payloads never leave your browser.

100% Client-Side

Pasting production API keys online is dangerous. This tool executes entirely within your browser memory. We log nothing.

Native Web Crypto

Powered by the blazing-fast crypto.subtle.sign() API built directly into modern web browsers.

Webhook Verification

Instantly verify incoming Stripe, GitHub, or Shopify webhook payloads against your stored server secrets.

How Zero-Knowledge Works

ZeroKey uses cryptographic primitives to deliver payloads securely.

Authenticity is not Privacy.

HMAC guarantees that a message hasn't been tampered with, but it does not encrypt the payload. Anyone intercepting the network request can still read your data in plaintext.

If you need to send highly sensitive configuration files, database credentials, or API keys to a colleague, you need end-to-end AES encryption, not just an HMAC signature.

Launch ZeroKey Vault

What is an HMAC?

HMAC stands for Hash-based Message Authentication Code. It is a specific type of message authentication code involving a cryptographic hash function (like SHA-256) combined with a secret cryptographic key.

When two parties share a secret key, HMACs allow them to verify both the data integrity and the authenticity of a message. If a hacker intercepts a message and modifies the payload, the HMAC signature will completely change. Because the hacker does not possess the secret key, they cannot generate a new, valid signature for their tampered payload.

How to generate an HMAC in JavaScript

If you need to implement webhook verification or API signing in your own Node.js or browser application, you should use the native Web Crypto API. Here is the framework-free approach:

hmac-signer.js 
async function generateHMAC(secret, payloadStr) {
    const encoder = new TextEncoder();
    
    // 1. Import the raw secret key
    const key = await crypto.subtle.importKey(
        "raw",
        encoder.encode(secret),
        { name: "HMAC", hash: "SHA-256" },
        false,
        ["sign"]
    );

    // 2. Sign the payload to generate the buffer
    const signatureBuffer = await crypto.subtle.sign(
        "HMAC",
        key,
        encoder.encode(payloadStr)
    );

    // 3. Convert buffer to Hex string
    const hashArray = Array.from(new Uint8Array(signatureBuffer));
    return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
}

Frequently Asked Questions

Why are HMACs used for Webhooks?
Major platforms like Stripe, GitHub, Shopify, and Slack use HMAC signatures to secure their webhooks. When these platforms send an HTTP POST request to your backend server, they calculate an HMAC using the raw JSON payload and a secret key they gave you when you registered. They attach this HMAC to a header (e.g., Stripe-Signature). Your server must calculate the same hash to verify the payload was not forged by an attacker.
Is it safe to paste my API secret key here?
Yes. Pasting your Stripe or GitHub webhook secrets into standard online calculators is dangerous because remote servers can log your keys. However, this ZeroKey Utility runs 100% locally using JavaScript in your browser memory. We make zero network requests, ensuring your API secrets are completely isolated and safe.

Privacy First

We use essential cookies & analytics strictly to improve our free tools. No PII or cryptography secrets are ever tracked.

Policy