How do I decode a Base64 string online?

Paste your Base64 string into SmartDevBox at smartdevbox.com. It automatically detects Base64 encoding and decodes it instantly — no configuration needed.

How do I decode a JWT token without a secret?

Paste your JWT token into SmartDevBox. The JWT Inspector tool decodes the header and payload and displays them as readable JSON. Note: this decodes but does not verify the signature — you don't need the secret to read the claims.

How do I format or pretty-print JSON?

Paste your minified or unformatted JSON into SmartDevBox. The JSON Formatter tool detects it automatically and pretty-prints it with configurable indentation.

How do I convert a Unix timestamp to a human-readable date?

Paste a Unix timestamp (e.g. 1700000000) into SmartDevBox. The Unix Timestamp converter detects it and shows the equivalent date and time in UTC and your local timezone.

How do I convert JSON to CSV?

Paste a JSON array of objects into SmartDevBox and select the JSON → CSV tool. It converts your data to comma-separated format with headers derived from the JSON keys.

How do I compute a SHA-256 hash online?

Use the Hash Generator tool on SmartDevBox. Paste any text and it computes MD5, SHA-1, SHA-256, and SHA-512 hashes simultaneously in the browser.

How do I parse and understand a cron expression?

Paste your cron expression (e.g. "0 9 * * 1-5") into SmartDevBox. The Cron Job Parser explains it in plain English and shows the next scheduled run times.

How do I decode an X.509 certificate online?

Paste a PEM-encoded certificate (beginning with -----BEGIN CERTIFICATE-----) into SmartDevBox. The Certificate Decoder extracts and displays the subject, issuer, validity dates, public key, and extensions.

Is SmartDevBox free to use?

Yes. SmartDevBox is completely free with no account or sign-up required. All tools run in the browser. An optional AI mode (for ambiguous input detection) can be enabled with your own OpenAI API key.

Does SmartDevBox send my data to a server?

No. All tools run entirely in the browser using client-side JavaScript. Your data never leaves your machine unless you opt into the AI mode, which sends input to OpenAI for format detection.

What is the best free online JSON formatter?

SmartDevBox automatically detects JSON when you paste it and formats it with configurable indentation. It also validates JSON and reports syntax errors with precise line and column numbers — all in the browser, free, with no account required.

What is the best free online Base64 decoder?

SmartDevBox auto-detects Base64 strings — including standard and URL-safe variants, with or without padding — and decodes them instantly on paste. No button to click, no tool to select.

How do I compare two JSON objects online?

Use the Split & Diff tool in SmartDevBox. Paste the first JSON in the left pane and the second in the right pane. Changes are highlighted line-by-line in real time.

Can I add my own tools to SmartDevBox?

Yes. SmartDevBox has a plugin system that lets developers register custom tools by providing a name, a detector function (returns a confidence score 0–1), and a transformer function. Custom tools appear in the sidebar alongside the 91 built-in tools and participate in auto-detection.

Does SmartDevBox work offline?

SmartDevBox is a Progressive Web App (PWA). All 91 tools run entirely client-side with no server dependency. Once the page is loaded, the tools work without an internet connection. AI mode requires connectivity.

HMAC Generator — Generate HMAC-SHA256/512 Signatures Online

HMAC Generator computes Hash-based Message Authentication Codes using the Web Crypto API entirely in your browser. Provide a message and a secret key, choose your algorithm (HMAC-SHA256, SHA-384, or SHA-512), and get the signature in hex, Base64, and Base64URL formats instantly. Used for signing API requests (AWS Signature v4, Stripe webhooks) and verifying data integrity. Your message and secret key never leave your machine.

How HMAC Works

HMAC is defined in RFC 2104. Given a key K and a message M, HMAC computes: HMAC(K, M) = H((K XOR opad) || H((K XOR ipad) || M)) where H is the underlying hash function (SHA-256, SHA-512, etc.), ipad is 0x36 repeated, and opad is 0x5C repeated. The key is padded or hashed to match the hash function's block size. The double-hashing structure prevents length-extension attacks that affect plain Merkle–Damgård hash functions like SHA-256.

In practice: to sign an API request with HMAC-SHA256, the server and client share a secret key. The client computes HMAC-SHA256(secret, canonical_request) and sends the hex or Base64 result in an Authorization or X-Signature header. The server recomputes the same HMAC and does a constant-time comparison. If they match, the request is authentic and unmodified.

Constant-time comparison is critical: a naive string equality check leaks timing information that allows an attacker to brute-force the signature byte by byte. All production HMAC verification libraries use constant-time comparison (e.g. crypto.timingSafeEqual in Node.js, hmac.compare_digest in Python).

Output Formats Explained

SmartDevBox outputs the HMAC signature in three formats. Hex (lowercase hexadecimal) is the most common format for API authentication headers — AWS Signature v4, for example, uses hex. Base64 is common in HTTP Authorization headers and JWT libraries. Base64URL (Base64 with + replaced by - and / replaced by _, and padding stripped) is used in JWTs and URLs where + and / would need percent-encoding.

All three formats represent the same underlying bytes; they are simply different text encodings of the raw binary signature. When comparing HMACs across different systems, make sure both sides use the same encoding format before comparing.

Security Best Practices

Secret key length: HMAC is as secure as the key entropy. For HMAC-SHA256, use a randomly-generated key of at least 32 bytes (256 bits). Shorter keys or low-entropy keys (human-chosen passwords) significantly weaken the authentication guarantee. Use a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) to generate keys — the SmartDevBox Random Password Generator can produce a suitable key.

Never hardcode HMAC secrets in source code. Store them in environment variables, a secrets manager (AWS Secrets Manager, HashiCorp Vault), or a key management service. Rotate secrets periodically and immediately after any suspected compromise.

HMAC does not encrypt the message — it authenticates it. The message content is still visible to anyone who intercepts the request. Use HTTPS (TLS) to provide confidentiality in addition to HMAC for integrity and authenticity.

Common Use Cases

Generating HMAC-SHA256 signatures for AWS Signature Version 4
Computing webhook signatures for Stripe, GitHub, and Shopify event verification
Signing API requests that require HMAC authentication
Testing and debugging HMAC implementations in your backend code
Verifying that two HMAC implementations produce identical output

Frequently Asked Questions

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic algorithm that combines a hash function (like SHA-256) with a secret key to produce a signature. It proves both integrity (the message was not tampered with) and authenticity (the signer knows the secret key).

What is the difference between HMAC-SHA256 and a plain SHA-256 hash?

A plain SHA-256 hash is deterministic and public: anyone can compute the same hash for the same input. HMAC-SHA256 mixes in a secret key, so only someone who knows the key can produce or verify the correct signature. This makes HMAC suitable for authentication, while plain hashes are used for checksums and deduplication.

How do I verify a Stripe webhook signature with HMAC?

Stripe signs webhook payloads with HMAC-SHA256 using your webhook signing secret. Concatenate the timestamp and raw request body as "timestamp.body", compute HMAC-SHA256 with your signing secret, and compare the hex digest to the v1 value in the Stripe-Signature header. SmartDevBox generates the HMAC so you can verify the expected value during debugging.

Which HMAC algorithm should I use?

HMAC-SHA256 is the industry standard and sufficient for virtually all use cases. HMAC-SHA512 provides a larger output (512 bits vs 256 bits) which is useful if you need a longer key derivation output. HMAC-SHA1 is still used in some legacy systems (TOTP, OAuth 1.0) but should be avoided for new designs.

Privacy & Security

This tool runs entirely in your browser using client-side JavaScript. No data is sent to a server — your input never leaves your machine. SmartDevBox has no account system, no usage tracking, and no paid tier. See the Privacy & Security page for full details.

Hash GeneratorCompute MD5, SHA-1, SHA-256, and SHA-512 hashes for any text. Free, no sign-up, 100% client-side.
JWT EncoderCreate and sign JWT tokens using HMAC HS256, HS384, or HS512 in your browser. Free, no sign-up, 100% client-side.
TOTP GeneratorGenerate Time-based One-Time Passwords (TOTP) for debugging 2FA implementations. RFC 6238 compliant. Free, no sign-up, 100% client-side.
Base64 EncoderEncode any text or string to Base64 instantly in your browser. Free, no sign-up, 100% client-side. Results copy with one click.