Securely calculate message authentication codes (MAC) using SHA256, SHA512, and other algorithms to verify data integrity and sender identity.
Configure parameters to start calculation
When you need to verify the source of an API request or ensure that transmitted data has not been tampered with, the HMAC-SHA algorithm provides dual protection through key-bound hash calculations. Based on the RFC 2104 standard, this tool combines a key of any length with the data to be verified, generating a fixed-length Message Authentication Code (MAC) using your selected SHA algorithm (such as SHA256 or SHA512). Typical outputs are 64-character (SHA256) or 128-character (SHA512) hexadecimal strings.
What is the difference between HMAC-SHA and MD5?
MD5 has been proven to be insecure, whereas modern algorithms like SHA-256 offer much stronger collision resistance. The HMAC structure also provides additional key protection.
Why does the MAC value remain the same for identical inputs?
This is by design: as long as the three elements (key, data, and algorithm) remain unchanged, the MAC value will always be the same. If you need dynamic results, you can append a timestamp or a random nonce to your input data.
The secret key must be strictly identical on both sides (including case sensitivity). Processing data larger than 1MB may cause browser performance issues. For financial applications, we recommend using SHA384 or SHA512 algorithms. Never process highly sensitive keys on public computers.
Example of a typical API signature scenario:
Input Data: method=POST&path=/v1/order&nonce=123456
Secret Key: k8J9x$2aP5qL
SHA256 Output: 7a3b2c... (64-character hexadecimal)
Note: URL parameters should be sorted alphabetically before calculating the MAC to prevent verification failures caused by parameter order discrepancies.
