Hash Generator

Generate SHA-256, SHA-512, SHA-1 hashes and HMAC signatures. Code snippets for Go, Python, JS, Java, Rust.

Algorithm:

Input

HMAC Key (optional — leave blank for plain hash)

Code Snippet

import (
	"crypto/sha256"
	"encoding/hex"
	"fmt"
)

func main() {
	msg := []byte("your message")
	hash := sha256.Sum256(msg)
	fmt.Println(hex.EncodeToString(hash[:]))
}

What is a Cryptographic Hash Function?

A cryptographic hash function takes any input — a word, a file, or a JSON document — and produces a fixed-size string of bytes called a hash or digest. Hash functions are one-way: given the hash, you cannot recover the original input. The same input always produces the same output (deterministic), but a tiny change in input produces a completely different hash.

Common uses include verifying file integrity (checksums), storing passwords securely, signing API requests (HMAC), and generating commit IDs in Git. SHA-256 and SHA-512 are the current industry standards for cryptographic hashing.

HMAC (Hash-based Message Authentication Code) extends a plain hash by mixing in a secret key. This allows two parties who share the key to verify both the authenticity and integrity of a message — used in AWS Signature V4, Stripe webhook verification, and JWT HS256/HS512 tokens.

Hash Algorithms Compared

Algorithm	Output size	Speed	Security	Common uses
SHA-256	256 bits / 64 hex chars	Fast	Secure	Checksums, JWT HS256, TLS, Git commits
SHA-512	512 bits / 128 hex chars	Faster on 64-bit	More secure	Password hashing base, high-security checksums
SHA-1	160 bits / 40 hex chars	Fastest	Weak (deprecated)	Legacy systems, Git object IDs (being phased out)

SHA-1 is broken for cryptographic purposes — collision attacks are practical. Use SHA-256 or SHA-512 for any security-sensitive application.

HMAC vs Plain Hash

	Plain hash (SHA-256)	HMAC-SHA-256
Secret key	No	Yes — required
Authentication	No	Yes — verifies sender
Tampering detection	Checksum only	Cryptographically secure
Use cases	File integrity, deduplication	API signatures, JWT HS256, webhook verification

HMAC (Hash-based Message Authentication Code) binds a secret key to the hash, so only parties with the key can verify or generate the same signature. Used in AWS Signature V4, Stripe webhooks, and JWT HS256/HS512 tokens.

Go Hash and HMAC

import (
    "crypto/hmac"
    "crypto/sha256"
    "crypto/sha512"
    "encoding/hex"
    "encoding/base64"
    "fmt"
)

// SHA-256 hash
func sha256Hex(message string) string {
    h := sha256.Sum256([]byte(message))
    return hex.EncodeToString(h[:])
}

// SHA-512 hash
func sha512Hex(message string) string {
    h := sha512.Sum512([]byte(message))
    return hex.EncodeToString(h[:])
}

// HMAC-SHA-256 — for API signatures, webhook verification
func hmacSHA256(message, key string) string {
    mac := hmac.New(sha256.New, []byte(key))
    mac.Write([]byte(message))
    sum := mac.Sum(nil)
    return hex.EncodeToString(sum)
}

// Base64 output
func sha256Base64(message string) string {
    h := sha256.Sum256([]byte(message))
    return base64.StdEncoding.EncodeToString(h[:])
}

func main() {
    fmt.Println(sha256Hex("hello world"))
    fmt.Println(hmacSHA256("my message", "secret-key"))
}

Python Hash and HMAC

python

import hashlib
import hmac
import base64

# SHA-256 hash
def sha256_hex(message: str) -> str:
    return hashlib.sha256(message.encode()).hexdigest()

def sha256_base64(message: str) -> str:
    digest = hashlib.sha256(message.encode()).digest()
    return base64.b64encode(digest).decode()

# HMAC-SHA-256
def hmac_sha256(message: str, key: str) -> str:
    mac = hmac.new(key.encode(), message.encode(), hashlib.sha256)
    return mac.hexdigest()

print(sha256_hex("hello world"))
print(hmac_sha256("my message", "secret-key"))

Frequently Asked Questions

No — plain SHA-256 is too fast, making brute-force attacks cheap. For passwords, use bcrypt, scrypt, or Argon2id which are designed to be slow and memory-hard. SHA-256 is fine for checksums, message authentication (with HMAC), and non-password data integrity.

SHA-256 is a one-way hash — anyone can compute it. HMAC-SHA-256 uses a secret key, so only parties who know the key can generate or verify the same signature. HMAC is used for API authentication (AWS, Stripe), JWT HS256 tokens, and webhook validation.

Hex (0-9a-f) is human-readable and universally supported, making it easy to compare and debug. Base64 is ~33% shorter and is used in HTTP headers, JWT tokens, and protocols that prefer ASCII-safe binary encoding. For storage, hex is safer; for transmission, Base64 is common.

Yes, completely private. All hashing is done using the Web Crypto API built into your browser — no data ever leaves your device.

Hash functions are deterministic: the same input always yields the same output. This property enables integrity verification — you hash a file before and after transfer and compare. To prevent rainbow table attacks on passwords, you must add a unique random salt per password and use a password-hashing algorithm.

Related Tools

UUID Generator

Generate UUID v4 and v7 identifiers in bulk

Base64 Encoder / Decoder

Encode or decode Base64 — Standard, URL-safe, Raw

URL Encoder / Decoder

Encode or decode URLs — query, path, form encoding

JSON Escape / Unescape

Escape JSON to a string literal or unescape it

HTML Escape / Unescape

Escape and unescape HTML entities for XSS prevention

JSON Formatter

Beautify and format JSON with indentation