Hash & Security Toolkit

Hash & Security

MD5, SHA-1, SHA-256, SHA-512 hash generator, HMAC, AES-256-GCM encryption/decryption, JWT builder, and password generator.

Input Text

#hash#md5#sha256#sha512#hmac#aes#encrypt#decrypt#jwt#password

What's included in Hash & Security Toolkit

5 tools, all free and client-side — no login or data upload required.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 cryptographic hashes from any text simultaneously — all client-side.

Verify file integrity by comparing checksums
Hash passwords for storage verification examples
Generate content fingerprints for caching

HMAC Generator

Compute HMAC-SHA256 and HMAC-SHA512 message authentication codes using a secret key for API request signing.

Sign API webhook payloads for verification
Implement request authentication for REST APIs
Validate message integrity in secure communications

AES Encrypt / Decrypt

Encrypt and decrypt text using AES-256-GCM with PBKDF2 key derivation via the browser's Web Crypto API — no data leaves your device.

Encrypt sensitive config values before storing
Securely share confidential text via messaging apps
Prototype AES encryption logic before coding it

JWT Builder & Signer

Construct JSON Web Tokens with custom header algorithms and payload claims, and decode any existing JWT for debugging.

Build test JWTs for API development and debugging
Inspect and decode production tokens during incidents
Prototype JWT-based authentication flows

Password Generator

Generate cryptographically strong passwords with custom length, character sets, symbols, and entropy display.

Create strong unique passwords for new accounts
Generate API keys and secret tokens
Produce password suggestions meeting specific policy rules

About Hash & Security Toolkit

The Hash & Security Toolkit gives developers production-grade cryptographic primitives that run entirely in the browser via the Web Crypto API. Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from any text simultaneously, sign messages with HMAC-SHA256 or HMAC-SHA512, encrypt and decrypt text with AES-256-GCM, build and sign JWTs, and generate cryptographically strong passwords with configurable entropy.

Every operation uses your browser's native crypto implementation — the same code that powers TLS and WebAuthn — so results are identical to what you would get from Node's crypto module or OpenSSL. No keys, plaintext, or ciphertext are transmitted anywhere. This makes the toolkit safe to use with production API secrets, webhook signing keys, and confidential payloads.

The AES tool uses PBKDF2 with 100,000 iterations to derive a key from your passphrase, then encrypts with AES-256 in GCM mode for authenticated encryption. The JWT builder supports HS256, HS384, and HS512 algorithms and displays a live preview of the encoded token as you edit the header and payload.

How to use Hash & Security Toolkit

1
Pick the algorithm
Select a tab: Hash, HMAC, AES, JWT, or Password. Each tool uses the Web Crypto API for cryptographically secure results.
2
Provide input and key
Enter the message you want to hash, sign, or encrypt. For HMAC and AES, enter the key or passphrase separately. For JWT, edit the header and payload JSON.
3
Run the operation
Hashes and HMACs compute live as you type. AES and JWT require a button press to encrypt, decrypt, or sign.
4
Copy or verify
Copy the hash, ciphertext, or signed token. For verification, paste the expected value and compare — nothing is logged.

Frequently asked questions

Should I use MD5 for password storage?

No. MD5 and SHA-1 are cryptographically broken and should never be used for password storage. Use a password-hashing function like bcrypt, scrypt, or Argon2 on the server. MD5 and SHA-1 are still acceptable for non-security use cases like file checksums and cache keys.

What's the difference between a hash and an HMAC?

A hash is a one-way function of a message only. An HMAC is a one-way function of a message plus a secret key — which allows the recipient to verify that the message was produced by someone who knows the key. Use HMAC for webhook signing and API request authentication.

Is the AES tool safe for sensitive data?

Yes. The tool uses AES-256-GCM (authenticated encryption) with a PBKDF2-derived key (100,000 iterations, SHA-256). All operations run in the browser via Web Crypto, so plaintext and keys never leave your device. That said, for long-term secret storage use a proper key management service.

Can I verify a JWT signature built by this tool in my backend?

Yes. Tokens produced by the JWT Builder follow RFC 7519 and can be verified by any compliant library (jsonwebtoken in Node, PyJWT in Python, jose in Go) using the same shared secret and algorithm.

How much entropy does the Password Generator produce?

The generator uses crypto.getRandomValues() for true CSPRNG output. A 16-character password using uppercase + lowercase + digits + symbols has ~104 bits of entropy — well beyond the 80-bit threshold considered safe for decades against offline attack.

Can I use HMAC-SHA256 to sign webhook payloads like GitHub or Stripe?

Yes. The HMAC tool produces bytes identical to GitHub's X-Hub-Signature-256 and Stripe's Stripe-Signature headers when given the same payload and secret. Use it to verify signatures locally during webhook development.