Hash Generator (MD5, SHA-1, SHA-256, HMAC)

Generate hashes from text locally in your browser.

Developer Tools →

Algorithm

Use SHA-256 for modern integrity checks. Use HMAC when you need a shared secret.

HMAC secret (only for HMAC)

Your secret is used locally for HMAC and never sent to a server.

Input text

Runs locally; we don’t upload your text.

Hex

Base64

About this tool

A hash is a deterministic fingerprint of data: the same input always produces the same output. Developers use hashes to verify integrity, compare values quickly, and build signatures that detect tampering. This page lets you generate common digests (MD5, SHA‑1, SHA‑256) and HMAC variants directly in the browser, so you can troubleshoot pipelines without copying data into third‑party tools or scripts.

Choose an algorithm based on your goal. For modern integrity checks, SHA‑256 is the default: it’s widely supported, fast, and the output size is large enough to avoid accidental collisions for typical app data. SHA‑1 and MD5 still appear in legacy systems and some compatibility workflows, but they are not considered collision‑resistant, so don’t use them for new security‑sensitive designs.

If you need a shared‑secret signature, use HMAC. HMAC combines your message with a secret key and produces a digest that can be verified by anyone who has the same secret. It is commonly used for webhook validation and API request signing. When two implementations disagree, the cause is usually subtle: different text encodings (UTF‑8), different whitespace/newline normalization, different secret formatting, or signing the wrong string.

This tool also shows both hex and Base64 representations. They encode the same bytes, just in different alphabets. APIs often document digests as hex strings, while some SDKs return Base64. If you’re comparing outputs across languages, make sure you compare the same representation and the same byte sequence. Once the inputs match exactly, the hashes will match.

Use cases

Validate payload integrity when you download or generate files.
Reproduce API signature inputs to debug mismatched hashes.
Generate stable identifiers for fixtures, tests, or cache keys.
Check whether two strings are identical after normalization.
Create HMAC digests for webhook verification during development.
Compare hex vs Base64 outputs when integrating with SDKs.

How it works

1Choose the algorithm (MD5, SHA-1, SHA-256, or HMAC).
2Paste the text you want to hash (payload, ID, signature base string).
3If you choose HMAC, enter a secret key.
4Generate the digest and copy it as hex or Base64.
5Compare results across systems to debug encoding and signing mismatches.

Hash Generator FAQ

›Is MD5 or SHA-1 safe for passwords?

No. Password storage should use a dedicated password hashing scheme like bcrypt, scrypt, or Argon2 with a salt. MD5/SHA are fast and not suitable for password hashing.

›What is HMAC and when should I use it?

HMAC is a keyed hash. Use it when you need to prove a message was created by someone who knows a shared secret (for example, verifying webhooks or signing API requests).

›Why don’t my hashes match another tool?

Most mismatches come from different encodings (UTF‑8 vs Latin‑1), different newlines (\n vs \r\n), hidden spaces, or signing a different string than you think. Normalize inputs and compare byte-for-byte.

›Hex vs Base64: which should I use?

They represent the same digest bytes. Use the format your API expects. Hex is common in docs; Base64 is common in libraries and token-related workflows.

›Do you upload my text or secret key?

No. Hashing happens locally in your browser. For HMAC, the secret key is used locally and never sent to a server.

›Can I hash files?

This page focuses on hashing text. If you need file hashing, it can be added as a separate workflow (drag-and-drop file → digest).