Hash Generator
MD5, SHA-1/256/384/512 for text or files. Verify checksums and compute HMACs.
This free hash generator computes MD5, SHA-1, SHA-256, SHA-384, and SHA-512 digests entirely in your browser. Text and files are hashed locally and never uploaded. It also verifies downloads against published checksums and produces keyed HMAC-SHA signatures.
How to use
- Pick Text or File with the mode toggle. File mode takes files up to 100 MB via the drop zone or Choose file button.
- Type or paste your input (Paste, Sample, and Clear buttons sit above the editor) or drop a file. All five digests recompute live.
- To verify a checksum, paste it into Expected hash. Case, spaces, and colons are ignored. A matching row lights up with a Match badge; otherwise a red No match badge appears.
- To sign instead of hash, enter a secret in HMAC key (text mode). The SHA rows become HMAC-SHA-1 through HMAC-SHA-512; HMAC-MD5 is unsupported.
- Copy a single row, or use Copy all / Download above the list. Tick Uppercase digests for uppercase hex.
Worked example
Hashing the pangram
The quick brown fox jumps over the lazy dog (the
built-in Sample) gives MD5
9e107d9d372bb6826bd81d3542a419d6 and SHA-256
d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592. Add the HMAC key key and the SHA-256 row
becomes HMAC-SHA-256
f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8, so the digest now depends on the secret as well as the
message.
Verifying a download
Release pages often publish a SHA-256 checksum next to each file. Switch to File mode, drop in your download, and paste the published value into Expected hash. A green Match · SHA-256 badge means the file arrived intact; No match means corruption or tampering, so download it again. Your checksum is compared against every digest at once, so you needn't know which algorithm the site used.
What the HMAC key does
An HMAC mixes a secret key into the calculation, so the digest proves the sender knew the key. That's how webhook providers like Stripe and GitHub sign payloads. Paste the raw request body, enter your signing secret, and compare the HMAC-SHA-256 row against the signature header to debug verification failures.
Notes: MD5 and SHA-1 are cryptographically broken, so use them only for legacy compatibility or quick fingerprints, never for security; SHA-256 is the modern default. SHA hashing uses the browser's Web Crypto API, which requires a secure (HTTPS) context; the tool shows a clear error if it's unavailable.
FAQ
More questions? Browse the full FAQ.
Need to inspect what you're hashing? Decode an encoded payload first with the Base64 encoder and decoder, or pinpoint where two near-identical inputs differ with the text diff checker.