What is the difference between HMAC and a plain hash?

A plain hash is deterministic for any input — anyone can compute it. HMAC mixes in a secret key, so only parties with the key can produce a matching signature. That is what makes HMAC suitable for authentication, while a plain hash is only good for integrity.

Which algorithm should I pick?

Use HMAC-SHA256 unless the service you integrate with explicitly requires something else. SHA-1 is still common in legacy systems but should not be used in new designs. SHA-512 is overkill for most use cases but slightly more conservative.

Should the key be a string or bytes?

HMAC takes a byte sequence. Toova treats your key as UTF-8 text by default, which matches what most APIs do. If the spec says "hex-encoded secret", flip the key-encoding toggle so the bytes match what the service expects.

Is my secret sent to a server?

No. Signing happens entirely in your browser. Your secret and message never leave the device, and the Network tab will stay empty during signing.

Why does my signature not match the service expectation?

Most commonly: encoding mismatch (hex vs Base64), trailing newline in the payload, or wrong algorithm. Verify all three match the service documentation exactly.

HMAC Generator — HMAC-SHA-256 & SHA-512 Online

Generate HMAC-SHA256 (or SHA-1, SHA-512) signatures from a message and a secret key, in your browser. Toova is the right tool for signing webhook payloads, API requests, and any flow where two parties share a secret and need to verify authenticity.

What HMAC is for

HMAC turns a shared secret and a message into a fixed-length signature. The receiver, who also knows the secret, can recompute the HMAC and compare it byte by byte — if the signatures match, the message is authentic and untampered. Stripe, GitHub, Slack, and almost every webhook system use HMAC-SHA256 to sign payloads so the receiver can trust the origin.

Algorithm and encoding options

Toova supports HMAC-SHA256, HMAC-SHA1, and HMAC-SHA512. SHA-256 is the modern default. Pick the algorithm that matches the documentation of the service you are integrating with. Output is hex by default, with Base64 and Base64-URL variants available — most webhook providers expect a specific format, so check their docs before flipping the toggle.

Local-only signing

The signature is computed entirely in your browser. Your message and secret key never leave the page. That matters because the secret is what lets anyone forge a valid signature — leaking it to a third-party form would compromise the system. Toova is safe for debugging production webhooks, validating signatures, and exploring API integrations.

Frequently Asked Questions

What is the difference between HMAC and a plain hash?: A plain hash is deterministic for any input — anyone can compute it. HMAC mixes in a secret key, so only parties with the key can produce a matching signature. That is what makes HMAC suitable for authentication, while a plain hash is only good for integrity.
Which algorithm should I pick?: Use HMAC-SHA256 unless the service you integrate with explicitly requires something else. SHA-1 is still common in legacy systems but should not be used in new designs. SHA-512 is overkill for most use cases but slightly more conservative.
Should the key be a string or bytes?: HMAC takes a byte sequence. Toova treats your key as UTF-8 text by default, which matches what most APIs do. If the spec says "hex-encoded secret", flip the key-encoding toggle so the bytes match what the service expects.
Is my secret sent to a server?: No. Signing happens entirely in your browser. Your secret and message never leave the device, and the Network tab will stay empty during signing.
Why does my signature not match the service expectation?: Most commonly: encoding mismatch (hex vs Base64), trailing newline in the payload, or wrong algorithm. Verify all three match the service documentation exactly.

HMAC Generator (SHA-256, SHA-512)

What HMAC is for

Algorithm and encoding options

Local-only signing

Frequently Asked Questions