HMAC Generator

HMAC (Hash-based Message Authentication Code) is the standard mechanism for authenticating API requests and verifying message integrity in payment systems. If you work with Nepali payment gateways — Fonepay, NCHL, eSewa, Khalti — you're computing HMACs daily.

What HMAC does

HMAC combines a secret key with a cryptographic hash function to produce a message authentication code. Given the same key and message, HMAC always produces the same output. Without the key, the output is computationally indistinguishable from random. This gives you both integrity (the message wasn't modified) and authenticity (only the key holder could have produced this MAC).

How payment switches use HMAC

Nepali payment APIs (Fonepay, NCHL F1 Soft) typically require you to: 1. Concatenate specific request fields in a defined order 2. Compute HMAC-SHA512 (or SHA256) of the concatenated string using your merchant secret key 3. Include the hex-encoded HMAC as a parameter in the API request

The server does the same computation and compares. A mismatch rejects the request — preventing replay attacks and tampering.

Security note

The HMAC secret key is your merchant credential. This tool computes HMAC entirely in your browser using the Web Crypto API — your key never leaves your device. But use this for development and debugging only. In production, HMAC must be computed server-side. Never expose your secret key in client-side code.

Choosing HMAC algorithm

Use whatever your spec requires. Fonepay uses HMAC-SHA512. NCHL uses HMAC-SHA256. For new systems, prefer HMAC-SHA256 or HMAC-SHA512. HMAC-MD5 and HMAC-SHA1 are still used in legacy systems but avoid them for new integrations.