SHA-256 / SHA-512 hash generator

How cryptographic hashing works

A cryptographic hash function takes an arbitrary message (text or bytes) and produces a fixed-size digest. The same input always yields the same digest; a tiny change in input yields an unrelated digest. Hashes are one-way: you cannot recover the original message from the digest alone. That makes them useful for integrity checks — verifying that a download or config file was not corrupted or swapped — and for comparing artifacts without storing the full content.

SHA-256 and SHA-512 are part of the SHA-2 family and are widely used in APIs, TLS certificates, and package managers. SHA-384 is also SHA-2; it sits between them in output size and is common in enterprise policies. This tool computes digests using your browser’s built-in Web Crypto implementation so results match other standards-compliant tools when the same bytes are hashed.

UTF-8 matters for text. The same visible string must be encoded to bytes the same way everywhere. We hash the UTF-8 encoding of your textarea, matching what most command-line tools do with Unicode input. For files, we hash raw file bytes exactly as on disk — no line-ending conversion.

SHA-256 vs SHA-512 — which should you use?

For new systems, SHA-256 is the default choice: 256-bit output, excellent library support, and a long track record. SHA-512 produces a longer digest (512 bits) and can be preferred when policies or APIs ask for it; both are from the same family and are not “more secure” than the other in a casual sense — pick what your spec or team standard requires.

SHA-1 is available here only for legacy compatibility (old checksums, Git object ids in some contexts). It is not suitable for new security designs because collision attacks are practical for motivated attackers. Leave SHA-1 off unless you are verifying an existing SHA-1 value.

Hashing is not encryption. A digest does not hide your data. If you need confidentiality, use real encryption (and key management). If you need to store passwords, use a slow password hash (Argon2, bcrypt, scrypt) — not a single SHA-256 of the password.

HMAC vs plain SHA

HMAC (Hash-based Message Authentication Code) combines a secret key with your message using a hash function inside a defined construction. It answers: “Was this message produced by someone who knows the key?” It is used in APIs, webhooks, and signed URLs. It does not encrypt the message; anyone who can see the message can see it. When you enter a secret on this page, treat it like a password on a shared PC — we never send it to our servers, but shoulder-surfing still applies.

Common use cases

• Verify a download — compare the site’s published SHA-256 with what you compute locally.
• Debug API signatures — match HMAC-SHA-256 to what your backend expects (same key bytes, same message bytes).
• Config drift — hash a canonical file to detect accidental edits.
• Pair with other tools — compare with Base64 output from APIs or inspect tokens with the JWT decoder.

When this tool is the wrong choice

MD5 is not exposed in Web Crypto in browsers; for legacy MD5 checksums use openssl md5 or your language’s crypto library. Very large files (gigabytes) should use streaming tools on the command line — this page caps files at 2 MB to keep the tab responsive.

For structured data in transit, pair hashing with the rest of your security story: TLS, key rotation, and least-privilege access — not just a digest in isolation.

Online hash generator for developers

People search for an online hash generator, SHA-256 calculator, or file checksum when they need a quick answer without installing software. This page keeps processing in the browser for privacy and shows both hex and Base64 so you can match API docs. For automation and recurring checks, see how CloudyBot runs tasks on a schedule.

Related tools