What's the difference between Personal and Studio?

Personal ($39) is for one person — unlimited use on one active device at a time. Activate on a new device and the old one signs out. Studio ($199) is for teams and commercial client work — unlimited team members, early access to new tools, and a commercial license.

Do I need an account?

No. Use any tool free up to 5 times per day on compute-heavier tools, and unlimited on lightweight ones. No card, no account, no signup required.

Where are my files processed?

Right on your device. Files never upload to any server. Everything runs in your browser — you can verify in DevTools → Network.

What happens if I use my Personal license on a second device?

The new device activates and the old device signs out. Your license key stays the same — you just move it between devices as needed. No limit on how often you switch.

Does this work on my phone?

Yes. Every tool works on iPhone, Android, tablet, and desktop.

What if I want a refund?

30-day money-back guarantee on both tiers. No questions asked. Email sales@cipherforces.com.

Will you add more tools?

Yes. New tools ship regularly. Your license includes every tool we ever release — Studio members get early access.

SecurityFree

HMAC Calculator

Generate or verify HMAC signatures (SHA-1, SHA-256, SHA-384, SHA-512). Built for webhook signature debugging.

PrivateWorks OfflineNo Account

100% Private Works Offline Web Crypto API

Algorithm

Message / Payload

Whitespace and newlines are significant — paste the body exactly as it was transmitted.

Secret Key

Deep dive

About HMAC Calculator.

Generate and Verify HMAC Signatures — Locally

HMAC (Hash-based Message Authentication Code) is what Stripe, GitHub, Twilio, Slack, and most webhook systems use to prove that a payload really came from them and wasn't tampered with in transit. CipherForces HMAC Calculator computes and verifies HMAC signatures entirely in your browser, with two dedicated modes built around real debugging workflows — not generic "hash some text" output.

Generate Mode

Paste the message body, paste or type the secret key, pick the algorithm (SHA-1, SHA-256, SHA-384, SHA-512), and get the signature in both hex and base64. Key input accepts UTF-8 text, hex, or base64 — common formats used by different vendors. Useful when you're generating a signed request to send to an API that expects HMAC auth, or when you're building the verification logic on the receiving side and need a known-good signature to test against.

Verify Mode

Paste the message body, paste the secret, paste the signature you received, and the tool returns a clear ✓ match or ✗ no-match indicator. This is the killer feature for webhook debugging — when Stripe sends you a Stripe-Signature header and your server says "invalid signature," you can drop the raw body, your endpoint secret, and the header value into this tool and find out within a second whether the bug is in your signature comparison or in your body parsing (the most common cause: invisible whitespace or JSON re-stringification mangling the body).

Common Use Cases

Webhook signature verification: Stripe, GitHub, Twilio, Slack, Shopify, Vercel, Linear — all use HMAC-SHA256 over the raw request body with a shared secret.
Build a known-good test: When implementing webhook auth on your server, generate a signature with this tool and unit-test against it.
Debug "invalid signature" errors: Compare what your server computes against what the vendor sent — instantly see whether the body or the secret is the problem.
API request signing: AWS Signature v4, OAuth 1.0a, and many internal APIs use HMAC over a canonical request string.

Privacy

HMAC computation uses the browser's native crypto.subtle API. Your message body and secret key never leave your device. Compare that to "free" online HMAC tools that log every payload + secret you paste — handing them production webhook secrets is exactly what you don't want to do when debugging.

Three steps

How to use HMAC Calculator.

Upload your file

Drag and drop or click to select your file.

Choose settings

Adjust quality, size, or format options.

Download result

Your processed file is ready instantly.

Related security tools.

View all

Hash Generator

Generate SHA-1, SHA-256, SHA-384, SHA-512 hashes for text and files.

Open tool

File Checksum Verifier

Verify file integrity by comparing SHA-256 checksums.

Open tool

Encrypt & Decrypt

Encrypt text and files with AES-256. Decrypt with your password.

Open tool

SSL Certificate Checker

Check any website's SSL certificate and security headers.

Open tool

Why CipherForces

Privacy-first tools that work everywhere.

100% Private

From $39

Works Offline

No Account

83 Tools

Need more than a tool?

Free quote

Explore all 83 tools

About HMAC Calculator.

Generate and Verify HMAC Signatures — Locally

Generate Mode

Verify Mode

Common Use Cases

Webhook signature verification: Stripe, GitHub, Twilio, Slack, Shopify, Vercel, Linear — all use HMAC-SHA256 over the raw request body with a shared secret.
Build a known-good test: When implementing webhook auth on your server, generate a signature with this tool and unit-test against it.
Debug "invalid signature" errors: Compare what your server computes against what the vendor sent — instantly see whether the body or the secret is the problem.
API request signing: AWS Signature v4, OAuth 1.0a, and many internal APIs use HMAC over a canonical request string.