Hash & HMAC Generator
Generate SHA-1/256/384/512 and MD5 hashes plus keyed HMAC codes.
Why use this tool
01Hash and HMAC generator using the browser's Web Crypto API. Switch between plain hash mode and keyed HMAC mode for webhook signatures and API signing.
Two modes: Hash generates plain digests (SHA-1, SHA-256, SHA-384, SHA-512, MD5) of any text input — useful for content fingerprinting, deduplication, and verifying against published checksums. HMAC generates keyed message authentication codes (HMAC-SHA1, HMAC-SHA256, HMAC-SHA512) using a secret key you supply — useful for signing webhook payloads, verifying API requests, and any flow where you need authenticated hashes.
Picks the right tool for your verification need: a plain hash answers "is this content unchanged?" An HMAC answers "is this content unchanged AND did the signer have the shared secret?" Many security bugs come from using a plain SHA-256 where an HMAC was required (a plain hash can be regenerated by anyone with the content).
Hashing uses the browser's native Web Crypto API where available (SHA family) and a pure-JS implementation for MD5. The text input — including any secret keys you paste — never leaves your browser. Safe to use with API signing secrets, webhook keys, or other shared secrets you'd never paste into an online tool.
Pair with our Base64 Tool when an API expects the HMAC output in Base64 (the tool emits hex by default; convert as needed), or with UUID Generator when you need an alternative source of unique identifiers.
How to use
02Quick checks before you copy
03Confirm the input is the format you intended.
Scan the result before using it in a document, URL, config, or message.
Copy only the output you need.
Use Cases
Generate a checksum for a downloaded file and compare it to the publisher's checksum to confirm the file hasn't been tampered with.
Generate a hash of a password string to understand how one-way hashing works, or to verify hashing behavior in development.
Hash file contents to generate a cache key that changes only when the content changes — used in CDN cache busting.
Hash multiple files and compare the hashes to identify exact duplicates without reading file contents directly.
Tips & Tricks
- 01Use SHA-256 for modern applications
MD5 and SHA-1 are cryptographically broken for security purposes. Use SHA-256 or SHA-512 for anything security-sensitive.
- 02Hashes are deterministic
The same input always produces the same hash. Even a single character difference produces a completely different hash.
- 03Hashing is one-way
You cannot reverse a hash to recover the original input. This makes hashing suitable for verification, but not encryption.
FAQ
04Is my input sent to a server for hashing?
No. All hashing runs locally in your browser using the built-in Web Crypto API.
What hash algorithms are supported?
MD5, SHA-1, SHA-256, SHA-384, and SHA-512 are supported. SHA-256 is recommended for most use cases.
Is MD5 safe to use?
MD5 is not safe for security purposes — collisions can be generated intentionally. It's still useful for non-security checksums like verifying file integrity against known-good hashes.
Can I hash a file instead of text?
Not in this tool — the input is text-only. For hashing files locally, use a command-line tool: shasum -a 256 file (macOS/Linux), CertUtil -hashfile file SHA256 (Windows), or Get-FileHash file -Algorithm SHA256 (PowerShell). Browsers can hash file Blobs via Web Crypto too, but exposing that here would require a different workflow than the current paste-and-hash UI.
What's the difference between hash and HMAC?
A plain hash (SHA-256, MD5, etc.) only depends on the input — anyone can compute it given the content. An HMAC adds a secret key: the same input with a different key produces a different output. Use HMAC when you need to prove a message came from someone with the shared secret (webhook signatures, API request signing, session integrity). Use a plain hash for content fingerprinting and deduplication.
What's the difference between a hash and encryption?
Encryption is reversible given the right key — you can recover the original content. Hashing is one-way — given a hash, you can't recover the input (you can only check whether a candidate input produces the same hash). Use encryption for confidentiality; use hashing for integrity verification and content fingerprinting.
Related tools
03Base64 Encoder / Decoder→
Encode text to Base64 or decode Base64 to text.
JWT Decoder & Verifier→
Decode, build, and verify JWT tokens — entirely client-side (HS256).
JSON Formatter→
Format, minify, and validate JSON in one place.