What is the difference between a hash and an HMAC?

A plain hash (MD5, SHA-1, SHA-256, SHA-512) takes one input and produces a fixed-size digest — anyone can compute it for the same input. An HMAC takes two inputs: a secret key and a message. Without the secret you can't reproduce or verify the digest. That's what makes HMAC suitable for signing webhooks, JWTs, and API requests — the receiver knows the message hasn't been forged because forging requires the secret.

Which HMAC algorithm should I use?

HMAC-SHA-256 is the modern default. Stripe, GitHub, Slack, Discord, Shopify, and most other webhook senders use HMAC-SHA-256. JWT alg HS256 is HMAC-SHA-256. Pick HMAC-SHA-512 if you need larger digests (64 bytes vs 32). HMAC-SHA-384 covers JWT HS384. HMAC-SHA-1 is legacy — still seen in older Twilio and AWS Signature v2 setups but should not be used for new systems.

Why is HMAC-MD5 not in the list?

Web Crypto, the browser's native crypto layer, only exposes HMAC for SHA-1, SHA-256, SHA-384, and SHA-512. Implementing HMAC-MD5 ourselves would add custom crypto for negligible value — HMAC-MD5 is deprecated for security use, and any system that still requires it can be implemented from MD5 plus the standard HMAC construction. For new code, use HMAC-SHA-256.

Is my secret key safe?

Yes. The HMAC computation runs entirely in your browser via the Web Crypto API's `crypto.subtle.importKey` and `crypto.subtle.sign`. Your secret never leaves the page, never goes to PDFFlare's servers, and isn't logged anywhere. Safe to use for development tokens, webhook secrets, and short-term testing keys. For long-lived production secrets, you should still treat any tool you paste them into with care.

How do I verify a Stripe / GitHub / Slack webhook signature?

Each webhook provider documents the exact construction. Generally: take the raw HTTP request body (string), compute HMAC-SHA-256 of (timestamp + body) using your endpoint secret, and compare the hex digest against the signature header. Use this tool to compute the expected HMAC, then compare it against the value in `Stripe-Signature`, `X-Hub-Signature-256`, or `X-Slack-Signature` headers respectively. Always use a constant-time comparison in production code.

Can I use this to sign a JWT?

Yes — JWT alg HS256 is exactly HMAC-SHA-256 over the base64url-encoded `header.payload` joined with a dot. Compute that HMAC here, then base64url-encode the resulting bytes (this tool returns hex; you'll need to convert hex → bytes → base64url). For full token construction including base64url encoding, you'll typically use a JWT library — but this tool is great for verifying that your library produces the same signature you compute manually.

What is a hash function?

A hash function converts input data of any size into a fixed-size string of characters. The same input always produces the same hash, but it is practically impossible to reverse-engineer the original input from the hash. Hash functions are used for verifying data integrity, generating checksums, and indexing data structures.

Which hash algorithm should I use?

Use SHA-256 for most security purposes — strong collision resistance and good performance. SHA-512 gives you longer digests and slightly better performance on 64-bit machines. MD5 and SHA-1 are cryptographically broken for security but remain useful for non-security checksums (cache keys, deduplication, file integrity).

Is MD5 still safe to use?

Not for any security-critical purpose. MD5 has known practical collision attacks since 2004. Don't use it for password hashing, signature verification, or any context where an attacker might benefit from finding a collision. It's still fine for deduplication, cache keys, ETags, and quick integrity checks where collisions just mean a cache miss.

Do hashes update in real time?

Yes. In plain-hash mode, MD5 + SHA-1 + SHA-256 + SHA-512 are all computed live as you type. In HMAC mode, the chosen algorithm's signature is computed live as you change the message, secret, or algorithm. Web Crypto handles SHA computations natively; MD5 uses a small client-side implementation in `src/lib/crypto/md5.ts`.

Hash Generator — MD5, SHA + HMAC Online

Generate MD5, SHA-1, SHA-256, SHA-512 hashes and HMAC signatures (SHA-1/256/384/512) online. Webhook + JWT signing, browser-based, no signup.

PDFFlare's hash generator online produces every common digest you need from one tool: MD5, SHA-1, SHA-256, and SHA-512 plain hashes, plus full HMAC signing for SHA-1, SHA-256, SHA-384, and SHA-512. Use it as a hash calculator for checksums, an md5 generator for cache keys, a sha256 generator for file integrity, or an hmac sha256 generator for webhook signatures and JWT HS256 tokens. Live updates as you type, no signup, no rate limits.

The HMAC mode is the difference between a casual hash tool and a real webhook signature generator. Sign request bodies for Stripe, GitHub, Slack, Shopify, Discord, or any HMAC-protected API; verify incoming webhook headers; or build the signing portion of a JWT alg HS256 token. Pair this with the JWT Decoder to inspect the tokens your auth layer issues, or with Base64 Encode & Decode to convert HMAC digests between hex and base64.

Everything runs in your browser. The Web Crypto API handles SHA digests and HMAC signing natively; MD5 uses a small pure-JS implementation. Your message and your secret never touch a server, never enter a log, never get cached on a CDN — safe for development webhook secrets, short-lived signing keys, and any payload you wouldn't paste into a third-party debugger.

Enter text to hash

How to Generate Hash and HMAC Values

Pick a mode
Plain hash for MD5/SHA checksums, or HMAC signing for keyed signatures (webhook verification, JWT HS256, AWS request signing). Mode persists across sessions.
Enter your message
Type or paste the text you want to hash. In HMAC mode, also enter the secret key — both inputs are kept entirely in your browser and never sent to a server.
Pick the algorithm (HMAC mode)
HMAC-SHA-256 is the modern default and matches Stripe, GitHub, and Slack webhooks. Pick HMAC-SHA-512 for larger digests, HMAC-SHA-384 for JWT HS384, or HMAC-SHA-1 only for legacy compatibility (Twilio, AWS Signature v2).
Copy the digest
Hashes update live as you type. Click Copy next to any digest to put it on your clipboard — ready to paste into a webhook header, API request, or test fixture.

When Do You Need a Hash Generator Online?

Webhook signature verification (HMAC-SHA-256): Stripe, GitHub, Shopify, Slack, Discord, Twilio — every modern webhook sender computes HMAC-SHA-256 of the request body using your endpoint secret and stamps it in a header. To debug a receiver, paste the raw body + your secret here, pick HMAC-SHA-256, and compare the digest against the header value. Mismatch = your construction is wrong (timestamp prefix? raw vs parsed body? wrong secret?). Fast feedback loop.

JWT alg HS256 / HS384 / HS512 signing: JWTs in the HS family are exactly HMAC over the base64url-encoded header.payloadjoined by a dot. Compute the HMAC here, base64url-encode the digest, append it after a dot — that's your signed JWT. Useful for hand-crafting test tokens or verifying that your auth library produces the digest you expect.

File integrity + checksums (SHA-256): When you download a release artifact and the project publishes its SHA-256, paste the file's text content (or a ground-truth string) and compare. Same logic for cache keys, deduplication, ETags, and any “has this content changed?” check where collisions don't weaken security.

AWS Signature v4 + custom HMAC chains: AWS Signature v4 builds a derived key by chaining four HMAC-SHA-256 calls (date → region → service → signing). You can replay each step here to debug why your signed request is being rejected. The same approach works for any custom HMAC pipeline: compute one stage, paste the result as the secret for the next, repeat.

Why Choose PDFFlare's Hash Generator?

Plain Hashes + HMAC in One Tool

MD5, SHA-1, SHA-256, SHA-512 plain hashes and HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 signatures — both modes share the same UI, both update live as you type.

Webhook + JWT Ready

HMAC mode is purpose-built for webhook signature verification (Stripe, GitHub, Slack, Shopify) and JWT alg HS256/HS384/HS512 signing. Algorithm selector hints at the use case so you don't have to think about it.

100% Browser-Based

Web Crypto API handles SHA + HMAC natively. Your message and secret never leave your device — safe for production webhook secrets and short-lived signing keys.

No Signup Required

Free, unlimited, no account, no rate limits. Bookmarkable for the next time a webhook integration breaks at 2 AM.

Frequently Asked Questions About Hash Generator and HMAC

Password Generator

Random, passphrase, PIN

UUID Generator

v1, v4, v5, v7 + bulk

HMAC Generator

HMAC-SHA256 webhook signatures

File Checksum

MD5 + SHA hashes of any file

Verify Checksum

Match a published hash to a file

Random Secret

JWT secrets, API keys, webhook keys