Question 1

What is HMAC-SHA256?

Accepted Answer

HMAC-SHA256 is HMAC using SHA-256 as the underlying hash function. It produces a 256-bit (32-byte) authentication code displayed as 64 hex characters. It's the most widely used HMAC variant in modern systems.

Question 2

How do I verify a GitHub webhook with HMAC-SHA256?

Accepted Answer

GitHub sends X-Hub-Signature-256: sha256=<hash> in webhook headers. To verify: compute HMAC-SHA256 of the raw request body using your webhook secret as the key. Compare with the signature using a timing-safe comparison. If they match, the webhook is authentic.

Question 3

What is AWS Signature Version 4?

Accepted Answer

AWS SigV4 uses HMAC-SHA256 in a chain: derive a signing key using HMAC(HMAC(HMAC(HMAC(secret_key, date), region), service), 'aws4_request'), then sign the canonical request string. The result is included in the Authorization header.

Question 4

Why does HMAC-SHA256 require a secret key but SHA-256 does not?

Accepted Answer

SHA-256 takes only a message and produces a hash anyone can compute and verify. HMAC-SHA256 takes a message AND a secret key — only parties with the key can generate or verify the HMAC. HMAC is for authentication; SHA-256 is for integrity.

Question 5

How is HMAC-SHA256 used in JWT?

Accepted Answer

JWT algorithm HS256 uses HMAC-SHA256. The signature = HMAC-SHA256(base64url(header) + '.' + base64url(payload), secret). The token is valid only if the server can recompute this HMAC with its secret key and it matches the token's signature.

Question 6

How do I generate an HMAC-SHA256 signature?

Accepted Answer

Enter your message and secret key above, then click Generate. The tool computes HMAC-SHA256 using the browser's Web Crypto API and outputs the hex-encoded signature. HMAC-SHA256 is the standard for API request signing (AWS Signature V4, GitHub webhooks) and JWT HS256 signing. For other hash algorithms, use DevDecode's HMAC Generator.

Question 7

What is the difference between HMAC-SHA256 and SHA-256?

Accepted Answer

SHA-256 is a hash function — anyone can compute the same hash from the same input without a key. HMAC-SHA256 requires a secret key, so only parties who know the key can compute or verify the signature. Use SHA-256 for checksums and data integrity. Use HMAC-SHA256 when you need to prove a message came from someone with the secret key, like in API authentication.

HMAC-SHA256 Generator — Free Online HMAC SHA256 Tool

Frequently Asked Questions

HMAC-SHA256: The Standard for API Authentication

Related Tools

HMAC Generator

SHA-256

JWT Decoder

JWT Encoder