Does my secret key get uploaded?

No. The HMAC is computed in your browser with the Web Crypto API. The message and the secret key are processed in memory on your device and never sent to a server, which is exactly why a signing tool should run locally.

What is an HMAC and when do I need one?

An HMAC is a keyed hash that proves a message was produced by someone holding a shared secret and was not altered. Webhooks from GitHub, Stripe and similar services sign their payloads with HMAC-SHA256 so you can verify the request is genuine; APIs use it to authenticate requests.

How do I verify a webhook signature?

Paste the exact request body as the message, enter the signing secret as the key, choose the algorithm the provider uses (usually SHA-256), and paste the signature they sent into the verify field. A match means the signature is valid; the comparison is done so that timing does not leak information.

Can the key be hex or base64, not just text?

Yes. Choose the key encoding — UTF-8 text, hexadecimal or base64 — so the key bytes match what your service expects. The output signature can likewise be shown as hex or base64 to match the format the other side uses.

HMAC Generator & Verifier — Local

On this page

How to use it
What HMAC is
Verifying a webhook
Keys and output formats
Why local matters
FAQ

How to generate or verify an HMAC

Type or paste the message on the left and the secret key on the right, then pick the hash algorithm (SHA-256 is the common default). The signature appears immediately as hex and base64, and the format you select is the one the Copy button uses. To verify a signature instead, paste it into the verify field — the tool computes the HMAC and tells you whether it matches, using a comparison that does not leak timing. Nothing is uploaded; the computation runs in your browser.

What an HMAC actually is

HMAC stands for hash-based message authentication code. It combines a message with a secret key through a hash function (SHA-256, for example) to produce a short fixed-length tag. Anyone who holds the same secret can recompute the tag and confirm two things at once: that the message was created by a holder of the secret (authenticity) and that not a single byte has changed in transit (integrity). Unlike a plain hash, an HMAC cannot be recomputed by an attacker who lacks the key, which is what makes it suitable for signing requests.

This is why HMAC is everywhere in web infrastructure. Payment and platform webhooks — Stripe, GitHub, Shopify, Slack and many more — sign each callback with HMAC-SHA256 over the raw request body, and your endpoint is expected to recompute the signature and reject anything that does not match. API gateways use HMAC to authenticate requests without sending the secret over the wire. Getting the bytes exactly right matters, which is where a precise, deterministic tool helps.

Verifying a webhook signature

To check an incoming webhook, paste the exact request body (byte-for-byte, before any JSON re-formatting) as the message, enter the provider's signing secret as the key, and select the algorithm they document. Paste the signature header they sent into the verify field. A green match means the request is genuine and unmodified; a mismatch means the body, the secret, the algorithm or the encoding differs. The most common cause of a false mismatch is a re-serialized body — providers sign the raw bytes, so even a reordered key or changed whitespace breaks the signature.

Keys and output formats

The key encoding selector lets you supply the secret as plain UTF-8 text, as hexadecimal, or as base64, because services store and document keys differently — a key shown as a hex string is not the same bytes as that string treated as text. The output selector switches the signature between hex and base64 to match what the other side expects; for example, many providers send base64 signatures while others use lowercase hex. Both interpretations are always shown so you can compare against either format at a glance.

Why a local HMAC tool matters

A signing secret is a credential: anyone who has it can forge valid requests to your service. Pasting that secret into an online HMAC generator sends it to a third-party server where it can be logged or cached — the same risk as emailing yourself a password. A tool that signs should never transmit the secret it signs with.

This one does not. It uses the browser's built-in crypto.subtle Web Crypto API, so the key is imported and used entirely in memory inside your own tab; there is no network request, no account and no logging, and closing the tab discards everything. That is the gitime.dev approach across the board: deterministic, dependency-light developer tools that keep your secrets on your machine.

HMAC-SHA1/256/384/512 via the native Web Crypto API.
Generate and verify with a timing-safe comparison.
Key as UTF-8, hex or base64; output as hex or base64.
Both encodings of the signature shown at once.
Everything stays on your device — no upload, no logging.

Frequently asked questions

Does my secret key get uploaded?: No. The HMAC is computed in your browser with Web Crypto. The message and key never leave your device.
What is an HMAC and when do I need one?: A keyed hash proving a message came from a secret-holder and was not altered — used to sign and verify webhooks and API requests.
How do I verify a webhook signature?: Paste the raw body as the message, the signing secret as the key, pick the algorithm, and paste the provider's signature into the verify field.
Can the key be hex or base64, not just text?: Yes. Choose the key encoding so the bytes match your service; the output can be hex or base64 too.

HMAC Generator & Verifier