Free Online Hash Generator & Encoders

About this tool

This hash generator and encoder suite combines six cryptographic hash functions (MD5, SHA-1, SHA-256, SHA-384, SHA-512, HMAC-SHA256) with eight encoding and decoding transforms (Base64 encode/decode, URL encode/decode, Hex encode/decode, HTML entity encode/decode, ROT13) and a JWT decoder - all in a single tool running entirely in your browser. Input text is processed using the browser's native Web Crypto API for SHA variants and HMAC; MD5 is implemented in pure JavaScript since it is not part of the Web Crypto standard. Auto-run mode updates the output as you type, making it fast to iterate on hash comparisons or encoding transforms without clicking Run each time.

Real example

Input: hello world

MD5:      5eb63bbbe01eeed093cb22bb8f5acdc3
SHA-1:    2aae6c69ce2b5483d34e39d2af4f7b93b69a498e
SHA-256:  b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576dc7d3af
SHA-512:  309ecc489c12d6eb4cc40f50c902f2b4d0ed77ee511a7c7a9bcd3ca...
Base64:   aGVsbG8gd29ybGQ=
Hex enc:  68656c6c6f20776f726c64
URL enc:  hello%20world

Notice that the same input produces a completely different hash for each algorithm. SHA-256 output is 64 hex characters (256 bits); SHA-512 is 128 hex characters (512 bits). These are deterministic - the same input always produces the same hash, and a one-character change produces a completely different output (the avalanche effect).

Common use cases

• Checksum verification: Hash a configuration file, API response payload, or downloaded artifact to produce a SHA-256 fingerprint. Compare it against a known-good hash to verify integrity without needing a binary comparison tool.
• HMAC request signing: Many API authentication schemes (AWS Signature v4, Stripe webhook verification, GitHub webhook validation) use HMAC-SHA256 with a shared secret key. Paste the signing string and your secret to compute the expected signature and compare it against what your code produces.
• Base64 encoding for Authorization headers: HTTP Basic Auth sends credentials as Base64(username:password) in the Authorization header. Encode and decode credentials here to debug authentication issues without writing code.
• JWT inspection: JWT tokens are three dot-separated Base64url-encoded segments. Select JWT decode mode, paste the full token, and read the header and payload JSON directly - without needing to install a separate tool. Note: this decodes only; it does not verify the signature.

How it works

Processing runs in a Web Worker to avoid blocking the UI for large inputs. SHA-1, SHA-256, SHA-384, SHA-512, and HMAC-SHA256 use the browser's crypto.subtle API (Web Crypto standard), which produces spec-compliant results identical to OpenSSL and Python's hashlib. MD5 is not in the Web Crypto standard, so it is computed by a pure JavaScript implementation that produces the same output as OpenSSL's MD5. Base64 encoding converts the UTF-8 byte representation of the text to standard Base64 (RFC 4648). URL encoding uses JavaScript's encodeURIComponent(), which encodes all characters except unreserved characters (A-Z, a-z, 0-9, -, _, ., ~).

Common mistakes

• Trailing newlines causing hash mismatches: When copying text from a terminal or editor, hidden trailing newlines are frequently included. The "Trim input" option strips these before hashing. If your hash differs from a reference value, try enabling trim first - this resolves the majority of "hash mismatch" debugging situations.
• CRLF vs LF line endings: A file with Windows line endings (CRLF, \r\n) produces a different hash than the same file with Unix line endings (LF, \n). When comparing hashes across operating systems, normalize line endings first. Git's autocrlf setting silently converts line endings on checkout, which can cause unexpected hash differences.
• MD5 for security purposes: MD5 is broken for cryptographic use - collisions are computationally feasible. Use MD5 only for non-security purposes like quick data integrity checksums or legacy system compatibility. For any authentication, integrity checking, or certificate use, use SHA-256 or SHA-512.

FAQ

Why does my SHA-256 hash not match what OpenSSL produces
The most common cause is a trailing newline. echo "hello world" | openssl dgst -sha256 includes the newline character that echo appends. Use printf "hello world" | openssl dgst -sha256 (no newline) and enable "Trim input" here - both should produce the same b94d27b9... hash.

What is the difference between Base64 and Base64url
Standard Base64 uses + and / as the 62nd and 63rd characters, plus = padding. Base64url replaces + with - and / with _, and omits padding - making it safe for URL query parameters without percent-encoding. JWTs use Base64url for all three segments.

Does this tool upload my input
No. All hashing, encoding, and decoding runs in a browser Web Worker - a local JavaScript thread. Nothing is transmitted to any server. The tool is safe for hashing passwords, API keys, or other sensitive material during debugging.

Can I use this to verify HMAC webhook signatures
Yes. Select HMAC-SHA256, paste the webhook signing secret as the HMAC key, and paste the raw request body as the input. The output should match the signature in the webhook's header (e.g., X-Hub-Signature-256 for GitHub, Stripe-Signature for Stripe). Most platforms prefix the hex with sha256= - compare only the hex portion.