Input is processed only in the active browser tab's memory and is not sent to a ByteQuant server.
HMAC Generator & Verifier
Uses Web Crypto to create HMAC from a UTF-8 key and message, outputs hex or Base64URL, and checks an optional expected value with a length-normalized byte comparison. JavaScript runtimes do not guarantee constant-time execution. Keys must remain secret; HMAC is not encryption, identity proof, or a public-key signature.
Input and output are not stored. The optional usage counter keeps only tool identity and count, never content.
Output comes from disclosed rules or browser APIs and needs independent review before high-impact use.
A result in three steps
- 01
Enter only a test key and message you are authorized to use.
- 02
Choose algorithm and output format, then generate the HMAC.
- 03
In production, follow the provider's byte encoding and canonicalization rules exactly.
When is this tool useful?
- ✓ Debugging webhook signatures
- ✓ Creating test fixtures
- ✓ Verifying message integrity
Automated output is a preliminary assessment. Do not use it alone for legal, financial, medical, or security-critical decisions.
Guides for this tool
Local Security Guide to Web Crypto, RAG, and Prompt Injection
Apply passphrases, HMAC, SRI, CIDR, RAG budgets, and injection pre-scans with correct security boundaries.
Read guide →Frequently asked questions
Does this tool send input to a server?+
No. Processing runs in this browser tab. Data leaves the page only when you choose to copy or download the result.
Is the result definitive?+
The tool produces consistent output from disclosed rules and browser APIs, but context, data quality, and method limitations can affect it. Verify high-impact decisions.
Is input saved?+
No. Tool input is not persisted. With consent, only tool identity and usage count may be kept on this device for personal shortcuts.