Skip to content
Security

Hash & HMAC Generator

Generate cryptographic hashes (SHA-1, SHA-256, SHA-512) and HMAC signatures for your text data.

Use it to verify that a download matches a published checksum, to check a webhook or API signature against an HMAC you compute from a shared secret, or to compare how each algorithm transforms the same input.

All hashing runs locally in your browser, so the text and secret you enter are never sent to a server.

Guide: How to use & features

  • Paste text into the input field and choose a hash algorithm.
  • Provide a secret key when you need an HMAC output.
  • The output is shown in hexadecimal (hex) format.
  • Copy the result for API testing, signatures, or integrity checks.

Samples: Sample input & output

SHA-256 ハッシュ

Input

アルゴリズム: SHA-256
テキスト: hello

Output

2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

FAQ: FAQ

  • What is the difference between a hash and an HMAC?

    A hash is computed from the input alone, so anyone can derive the same value from the same input. An HMAC also uses a secret key, so only parties who hold the key can produce or verify a valid signature. Use HMAC when, on top of detecting tampering, you want to confirm the sender holds the key.
  • Can I use SHA-256 to store passwords?

    Not recommended. SHA functions are fast, which makes them weak against brute-force attacks; password storage should use a deliberately slow, purpose-built function like bcrypt or Argon2. The SHA/HMAC here are meant for integrity checks and signature verification rather than storing passwords.
  • Is SHA-1 still safe to use?

    Collision attacks against SHA-1 have been demonstrated, so it is discouraged for security-sensitive uses such as signatures or tamper detection — choose SHA-256 or stronger for anything new. SHA-1 is best limited to compatibility checks with existing systems or non-security checksums.

Use cases: Common use cases

  • Verifying downloaded file integrity

    Compare a checksum the publisher provides (such as SHA-256) against the hash you generate from your local file to confirm it was not corrupted or tampered with.

  • Checking webhook / API signatures

    Compute an HMAC-SHA256 from the received payload and a shared secret, then match it against the signature header the sender attached — a quick way to debug your implementation.

  • Comparing output across algorithms

    Switch between SHA-1, SHA-256, and SHA-512 on the same input to see the difference in length and value, helping you pick the algorithm a spec calls for.

Notes: Notes & limitations

  • Work stays in your browser

    Inputs and outputs remain local. Closing the tab or clearing cache will remove any temporary state.

  • Validate critical data

    Results are helper outputs—double-check them before sending to production systems or sharing externally.

  • Large payloads depend on your device

    Very large text or files can feel slow in some browsers. Use a desktop environment for heavy workloads.

Configuration

Hash Algorithm

Hash and HMAC Generator

Hash functions and HMAC signatures are used to verify integrity, compare data, sign webhook payloads, and debug authentication flows. This tool helps generate common SHA hashes and HMAC values in the browser from text input.

Common use cases

  • Verify file or payload integrity: Compare expected and actual hash values during debugging.
  • Debug webhook signatures: Recreate HMAC values from a payload and shared secret.
  • Generate test fixtures: Prepare sample hashes for documentation, tests, or API examples.

Security note

Plain hashes are not suitable for storing passwords without a dedicated password hashing algorithm and salt. HMAC secrets and production payloads should be handled carefully and should not be shared in public examples.