Hash Generator (MD5, SHA-1, SHA-256, HMAC)

Hashing is one of those small computational primitives that quietly underpins enormous amounts of modern infrastructure — file integrity verification, password storage, digital signatures, deduplication systems, content-addressable storage, blockchain consensus, distributed cache invalidation, and dozens of other systems all depend on the property that a hash function maps input bytes to a fixed-size fingerprint that's effectively impossible to reverse. The everyday developer use is much narrower: confirming a file matches a published checksum, generating a signature for a webhook payload, comparing two large objects for equality without comparing every byte. This tool covers the common operations in one workspace with predictable defaults and clear output.

Algorithm choice matters more than people initially appreciate, and the right answer depends on what the hash is being used for. For modern integrity checking — comparing files, deduplication, content hashing — SHA-256 is the right default. It's fast, widely supported, and the 256-bit output makes accidental collisions essentially impossible at any practical scale. SHA-512 is the right pick when you specifically need a longer digest (for cryptographic protocols that specify it) or when targeting 64-bit platforms where SHA-512 happens to be faster than SHA-256. SHA-1 and MD5 still appear in legacy systems but are not collision-resistant — both have practical attacks against their collision properties, which means they should never be used for security-sensitive purposes in new designs.

HMAC is the right tool whenever a shared-secret signature is needed rather than a plain hash. The pattern shows up everywhere: webhook signatures from Stripe, GitHub, Twilio, and other providers; API request signing for AWS Signature V4 and similar schemes; OAuth 1.0a request signatures (for the unfortunate few systems still on it); session integrity tokens. HMAC takes a message and a secret key, combines them in a way that's mathematically immune to length-extension attacks, and produces a digest that anyone with the same secret can verify. The two pieces of the puzzle — message bytes and key bytes — must match exactly between the two parties for the verification to succeed.

The most common source of HMAC verification failures is not the hash function itself but the input normalization that happens before the hash. Two systems that disagree on whether to include trailing newlines, whether to URL-encode certain characters, whether to sort query parameters alphabetically, whether to strip BOM markers from UTF-8 strings, or whether to use canonical JSON formatting will produce different hashes for what the developer sees as 'the same' input. Debugging these cases requires getting the byte-exact representation of what each side is actually hashing, comparing them character by character, and finding the difference. The tool here helps by showing the exact input bytes alongside the hash output, which makes it possible to compare both sides of a failing webhook integration.

Hex versus Base64 output formats deserve a brief mention because mixing them is a recurring source of debugging confusion. The same hash can be represented as hex (lowercase or uppercase, 64 characters for SHA-256) or as Base64 (regular or URL-safe, 44 characters for SHA-256). Two implementations producing 'different' hashes that turn out to encode the same bytes is a common situation; the tool here shows both representations side by side so you can quickly spot when the underlying digest is actually identical and the disagreement is purely about output formatting.

File hashing is the case that distinguishes a complete tool from a text-only one. Verifying that a downloaded ISO matches the published SHA-256 checksum is the canonical use case, but file hashing also comes up in deduplication workflows (do these two large objects have identical content?), forensic analysis (is this file byte-identical to the known reference?), and content-addressable storage (what's the canonical address of this blob?). The tool here computes hashes of files entirely in the browser using the WebCrypto API, with no upload to any server, which is essential when the files being hashed are sensitive material whose content shouldn't leave the user's machine.