HMAC API - Generate SHA-256, SHA-1 & SHA-512 Signatures
Compute a keyed-hash message authentication code (HMAC) for any string. Provide the text, a secret key, and an optional algorithm. The default is HMAC-SHA256.
Code examples
curl -X POST https://api.botoi.com/v1/hash/hmac \
-H "Content-Type: application/json" \
-d '{"text":"{\"event\":\"payment.completed\",\"id\":\"pay_abc123\"}","key":"whsec_s3cr3tK3y","algorithm":"sha256"}'When to use this API
Webhook payload verification
Recompute the HMAC of an incoming Stripe or GitHub webhook body using your shared secret and compare it to the signature header.
API request signing
Sign outgoing API requests by computing an HMAC of the canonical request string, matching the pattern used by AWS Signature V4.
Token generation for signed URLs
Generate time-limited signed URLs by appending an HMAC of the path and expiry timestamp as a query parameter.
Frequently asked questions
How is HMAC different from a regular hash?
A regular hash takes only the input data. HMAC also includes a secret key, so only parties who know the key can produce or verify the signature.
Should I send my production secret key to this API?
For testing and debugging, the API is convenient. In production, compute HMACs locally using your language crypto library to keep secrets off the network.
What encoding is the output?
The HMAC is returned as a lowercase hexadecimal string.
Which algorithm do most webhook providers use?
Most providers (Stripe, GitHub, Shopify) use HMAC-SHA256, which is the default for this endpoint.
Get your API key
Free tier includes 5 requests per minute with no credit card required. Upgrade for higher limits.