Don't like ads? Go Ad-Free Today 

API Signature Generator

DataDeveloperSecurity

ADVERTISEMENT · REMOVE?

INPUT

Auto Process

OUTPUT

Client Side

ADVERTISEMENT · REMOVE?

Guide

API Signature Generator

Generate HMAC-based API request signatures for webhook verification, API authentication, and request signing. Supports HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512 with secret keys in plain text or hexadecimal format, outputting both hex and Base64 signatures for immediate use in HTTP headers or query parameters.

How to Use

Enter the message or data to sign (typically a request body, URL, or canonical string), provide your secret key, select the key format (plain text or hex), and choose the HMAC algorithm. The signature appears instantly in both hex and Base64 formats. Use the built-in example to see a real-world webhook signing scenario.

Features

3 algorithms – HMAC-SHA1, HMAC-SHA256 (default), HMAC-SHA512
Dual key formats – plain text or hexadecimal secret keys
Dual output – signature in both hex and Base64 encoding
Real-time generation – signature updates instantly as you type
Example preset – one-click webhook signing example to get started
Client-side only – your secret key never leaves the browser

ADVERTISEMENT · REMOVE?

 FAQ

How does HMAC-based API authentication work?

HMAC (Hash-based Message Authentication Code) authentication works by both parties sharing a secret key. The sender computes HMAC(secret, message) and sends the result as a signature header. The receiver independently computes the same HMAC and compares it to the received signature. Because only parties with the secret key can produce a valid signature, a matching HMAC proves authenticity and integrity of the message.
What is the difference between HMAC-SHA256 and a plain SHA256 hash?

A plain SHA256 hash is deterministic and public — anyone can compute SHA256(data). HMAC-SHA256 incorporates a secret key into the computation using a two-pass construction: HMAC(k, m) = H((k ⊕ opad) || H((k ⊕ ipad) || m)). This means only parties with the secret key can produce or verify the signature, making it suitable for authentication where plain hashes are not.
Why do webhook systems use HMAC signatures?

Webhooks deliver HTTP POST requests from a server to your endpoint. Without authentication, any server could send fake events. HMAC signatures solve this: the webhook provider signs the payload with a shared secret, and your server re-computes the HMAC to verify authenticity before processing the event. GitHub, Stripe, Shopify, and most modern webhook systems use this pattern with HMAC-SHA256.
What should I use as the message for API request signing?

The message content varies by API. Common approaches include: signing just the request body (Stripe, GitHub webhooks), signing a canonical string of method + URL + timestamp + body (AWS Signature V4), or signing a sorted query string. Always check your API provider’s documentation for their exact canonical string format, as even whitespace differences will produce a different signature.