Issue
Sign In
StepCodex FeaturedStepCodex Reviews
Notion Docs

Calculate HMAC signatures. Free online tool, no login, no sign-up.

LocalPersonal data security

Loading Tool Engine

Usage Guide & Tech FAQ

Usage Guide

  1. Enter the exact message bytes your peer signs (raw bytes vs UTF-8 text must match the contract).
  2. Provide the same secret as the other side—watch trailing newlines/BOM when pasting from files.
  3. Pick the algorithm (e.g., HMAC-SHA256) and confirm whether SHA-384/512 are allowed or weak algos are forbidden.
  4. Copy the digest in the agreed encoding (hex, base64, base64url) and the same casing rules if any.
  5. Verification requires matching message, key, algorithm, and output encoding—any mismatch looks like “bad signature”.
  6. Large messages allocate memory before hashing—prove the flow on a small sample first.
  7. For REST signing, confirm the canonical string: HTTP method, path, sorted query, body hash, etc.
  8. Across languages, watch Unicode normalization and whitespace folding—strings can look identical yet differ in bytes.
  9. Share minimal redacted snippets with teammates to align byte-level inputs when debugging.
  10. Clear secret inputs after use; avoid production secrets on shared machines.
  11. Read the title and description first to confirm this utility matches your task (avoid using the wrong tool and misinterpreting output).
  12. Paste or type input in the editor; if a sample/template is provided, load it first to learn the expected output shape.

Related Tech Knowledge

  • HMAC hashes a keyed construction; output length follows the underlying hash (e.g., 32 bytes for SHA-256).
  • Security depends on secret entropy and hash strength; short passwords materially weaken HMAC.
  • Hex/base64 are presentation layers—compare signatures after normalizing to the same representation.
  • Use constant-time comparisons in production services; plain JS `===` is not ideal for high-threat scenarios.
  • Don’t confuse HMAC with KDFs like HKDF/PBKDF2—different purposes and threat models.
  • Many webhooks sign headers like `X-Hub-Signature-256` with a `sha256=` prefix—match the spec exactly.
  • Reusing one MAC key across unrelated services expands blast radius; partition secrets per service/tenant.
  • WebCrypto algorithm availability differs slightly by browser—test your targets.
  • Computation stays local with safeguards for personal data (see the page note).
  • For compliance, record the hash algorithm and encoding rules you used for later audits.
  • Core parsing and computation run in your browser; by default your raw business payload is not persisted to this site’s servers (see on-page privacy notes).
  • The pipeline is typically: read input → parse (lexical/syntactic/structured) → transform → render; failures aim to be diagnosable.