HMAC Signer & Encoder

Generate and verify HMAC signatures for API payloads without leaving the browser. Switch algorithms, choose output encodings, test canonical strings, and compare expected signatures when debugging webhook auth or signed requests.

SHA-1 / SHA-256 / SHA-384 / SHA-512 Hex / Base64 / Base64URL Signature verification Local-only processing

Signer

Paste the exact string your backend signs. For example: raw body, timestamp + '.' + body, or a canonical request string.

Algorithm

Output encoding

Secret format

Secret key Message / canonical string

Optional timestamp helper

Timestamp combine mode

AlgorithmSHA-256

Encodinghex

Message bytes0

Signature length0

Effective signed string

Generated signature

Expected signature to compare

Generate a signature first, then compare it against an expected value.

Encoding notes

• Hex is most common for backend logs and CLI checks. • Base64 is common in signed headers and SDK output. • Base64URL is useful for URL-safe transport. • Secret format matters: raw text vs decoded base64/hex can completely change the signature.

Common mismatch causes

• Signing parsed JSON instead of the raw request body • Missing timestamp prefix or wrong separator • Trailing newline in payload or secret • Wrong output encoding • Secret provided in base64 but treated as plain text

HMAC Signer & Encoder

Signer

Output & verification

Encoding notes

Common mismatch causes