Calculator inputs
Use the form below to generate, compare, and inspect message authentication codes with flexible encodings.
Plotly graph
This graph compares message size, key size, digest size, and the underlying block size used by the selected algorithm.
Example data table
These ready-made examples show how different encodings and algorithms produce different HMAC outputs.
| Message | Message Encoding | Secret Key | Key Encoding | Algorithm | Output | Sample HMAC |
|---|---|---|---|---|---|---|
| hello world | TEXT | secret123 | TEXT | SHA256 | HEX | 57938295649097379cddb382dd6c82d5e0460645a8fd01674a48a76de6142646 |
| 48656c6c6f20576f726c64 | HEX | 6b65792d313233 | HEX | SHA512 | BASE64 | wEzQgQFjSA3I2qwfaooLprbDXQuIoRiyPAk8Q6BUWwqLjszo2IayvhH+SyhqJLqubrvLt4ahYQMMGfWi523pcQ== |
| QVBJIHJlcXVlc3QgcGF5bG9hZA== | BASE64 | Y2xpZW50LXNoYXJlZC1zZWNyZXQ= | BASE64 | SHA3-256 | HEX | 337106f7c5c83ba87fb2a3b6f775f3a1961a3d3f701e2f703ff6430143ce349c |
Formula used
HMAC(K, m) = H((K′ ⊕ opad) || H((K′ ⊕ ipad) || m))
Here, H is the chosen hash function, m is the message, and K′ is the normalized key.
If the original key is longer than the block size, it is hashed first. If it is shorter, it is padded with zero bytes.
ipad is the repeated byte 0x36, and opad is the repeated byte 0x5c. The calculator applies these rules automatically.
Why this matters mathematically
HMAC combines XOR operations, fixed block sizes, and nested hashing. That structure makes the signature depend on both the message and the secret key while resisting common extension attacks that affect plain hashes.
How to use this calculator
- Paste your message and choose its encoding.
- Paste the shared secret key and select its encoding.
- Choose the desired HMAC algorithm and output format.
- Optionally add an expected signature for verification.
- Press Generate HMAC to show the result above the form.
- Review the summary metrics, chart, and interpretation notes.
- Download the CSV or PDF report when you need a record.
Practical tip
Always verify that both sides use the same message bytes, line endings, key bytes, algorithm, and output format. Most mismatches come from encoding differences rather than incorrect formulas.
Frequently asked questions
1. What does HMAC stand for?
HMAC stands for Hash-based Message Authentication Code. It combines a secret key with a message and a hash function to create a signature that helps confirm integrity and authenticity.
2. Why can two systems produce different HMAC values?
Differences usually come from mismatched encodings, hidden spaces, line endings, output formats, or algorithms. Even a single byte change in the message or key completely changes the resulting digest.
3. Is hexadecimal better than base64 output?
Neither is universally better. Hex is easier to inspect manually, while base64 is shorter and common in APIs. Both can represent the same raw digest bytes exactly.
4. What happens when the key is too long?
If the key exceeds the algorithm block size, HMAC first hashes the key. That compressed value is then padded and used internally for the final nested calculation.
5. Can I verify a known signature here?
Yes. Paste the expected signature, choose its format, and submit the form. The calculator compares raw bytes and reports whether the generated digest matches.
6. Why does an empty message still return a digest?
HMAC works on byte strings of any length, including zero bytes. The key and hash algorithm still define a valid authentication code for an empty input.
7. Which algorithm should I choose?
Choose the algorithm required by your protocol or system. In many modern integrations, SHA-256 or SHA-512 variants are common choices because they are widely supported.
8. Is this calculator suitable for production secrets?
It is useful for testing and education. For production workflows, store secrets securely, limit exposure, use HTTPS, and keep sensitive files outside public directories.