Compute HMAC signatures over a message and a secret key. Useful for webhook signature verification (Stripe, GitHub, Cloudflare), API request signing, and integrity checking. Output in hex and base64. Uses the browser's SubtleCrypto, never transmitted.