Online HMAC Generator: Text and File HMAC Signing (SHA256, SHA512, SHA3, BLAKE, SM3)

• Multi-Algorithm HMAC

  Switch between SHA-256, SHA-512, SHA3, Keccak, BLAKE, SM3, and legacy-compatible options in one interface.

• Message and File Signing

  Sign plain text, JSON payloads, webhook raw bodies, canonical strings, and local files.

• Chunked File HMAC

  Large files are processed in local chunks with progress reporting for long-running tasks.

• Key Format Conversion

  Work with text keys, hex keys, and Base64 keys while preserving byte-level consistency.

• Flexible Output Encoding

  Export signatures as lower hex, upper HEX, or Base64 to match API, webhook, and storage-provider contracts.

• Local Chunked Processing

  Text, secrets, and files are computed in the browser; large files are processed in chunks without handing over the original payload.

1. 1

   Choose input type: text mode for canonical strings and request bodies, file mode for binary payload signing.

2. 2

   Provide your secret key and confirm key format (text / hex / Base64) before computation.

3. 3

   Select the exact HMAC algorithm required by your backend or third-party platform.

4. 4

   Choose output format (hex or Base64), then copy and compare with expected server-side signatures.

5. 5

   If verification fails, first validate payload normalization, field ordering, encoding, newline style, and timestamp assembly.

• Online HMAC-SHA256, HMAC-SHA512, HMAC-SHA3, HMAC-BLAKE3, and HMAC-SM3 generation
• Support for API signature strings, webhook payload signing, payment callback validation, and signed URL workflows
• Text/Hex/Base64 key handling with deterministic byte conversion
• Lower/upper hex and Base64 output options to match platform-specific signature contracts
• Chunked file HMAC with progress and cancellation support
• One-click example payloads for rapid integration and debugging
• Fullscreen workspace and progress feedback for long payloads, signatures, and file checks
• Fully local browser computation for key privacy and internal debugging workflows

• API Authentication Debugging

  Recompute request signatures to diagnose field-order, encoding, and canonicalization mismatches.

• Webhook Signature Verification

  Re-sign raw callback payloads to validate source authenticity and payload integrity.

• Payment Gateway Integration

  Validate callback and request signatures against provider-specific signing rules.

• Signed URL and Storage Access

  Generate and verify canonical-string signatures for object storage or CDN access control.

• Always align algorithm, raw message bytes, and secret key bytes with the server implementation
• Define whether signing source is raw body, sorted query string, or canonical string
• Normalize UTF-8 encoding and newline style before signing
• Avoid implicit transformations such as JSON reformatting, trimming, or auto URL decoding
• Never expose production signing keys in frontend code, logs, or screenshots
• Pin signature test vectors in CI to detect drift after dependency or framework updates

If the task only checks whether text or a file changed and does not involve a shared secret, use Hash Generator . For token issues around headers, payloads, expiry, or signature structure, continue with JWT Inspector . When the signed source includes query strings, callback URLs, or percent-encoding rules, verify the byte boundaries with URL Encode & Decode before recalculating the HMAC signature.

• HMAC is keyed integrity/authenticity validation, not reversible encryption
• This tool does not manage key lifecycle, rotation, or secure key custody
• If server-side signing has extra normalization steps, you must prebuild that exact input
• Some platforms differ in Base64 variants (standard vs URL-safe); verify target protocol details
• Large-file signing duration depends on local hardware and browser resource availability