Compute HMAC-SHA256 (Hash-based Message Authentication Code) from a message and shared secret key. HMAC proves that a payload was created by someone who knows the secret without transmitting the key itself.
How HMAC-SHA256 works
HMAC combines the secret with the message through nested SHA-256 operations defined in RFC 2104. The output is a fixed-length hexadecimal digest you can compare to server-side signatures for webhooks, API requests, or signed cookies.
Common use cases
- Verifying GitHub or Stripe webhook signatures during development
- Debugging AWS Signature Version 4-style keyed hashes at a smaller scale
- Teaching how symmetric message authentication differs from plain SHA-256 hashing
Limitations
The secret is typed into the browser—use test keys only. HMAC-SHA256 is not encryption; it authenticates integrity and origin among parties sharing the secret. Output format is lowercase hex without prefixes.
Example
HMAC-SHA256 of message Hello with key secret produces a 64-character hex string unique to that pair.