MUTools

Encoding

Hash Generator

Hash Generator computes MD5, SHA-1, SHA-256, and SHA-512 digests from the text or file you provide, all in one place. Use it whenever you want to "check several algorithms at once," verify that a downloaded file matches a published checksum, or quickly produce a digest for documentation or a ticket.

Mode
Input
Algorithms
Output format
Results
Results appear here after you add text or pick a file
Input bytes: 0

All text and files you provide are processed entirely in your browser and are never sent to a server.

Related Tools

Base64 Encode / Decode

Convert text to Base64 or decode Base64 back to text. Supports URL-safe Base64 and 76-char MIME line wrapping, and updates in real time. Runs entirely in your browser.

Image ⇄ Base64 Converter

Convert images to Base64 strings (data URLs) and decode Base64 strings back into images. Generates CSS, HTML, and Markdown snippets automatically. Runs entirely in your browser.

URL Encode / Decode

URL Encode / Decode converts text to percent-encoded URL format and back. Supports query-parameter and full-URL scopes, with optional form-encoding for spaces. Results update in real time. Runs entirely in your browser.

JWT Decoder

Paste a JWT (JSON Web Token) to split it into header, payload, and signature and view each as formatted JSON. Standard claims (iat / exp / nbf) are converted to human-readable times, with expiry warnings. Optional HS256 / HS384 / HS512 signature verification included. Runs entirely in your browser.

About Hash Generator

Hash Generator computes MD5, SHA-1, SHA-256, and SHA-512 digests from the text or file you provide, all in one place. Use it whenever you want to "check several algorithms at once," verify that a downloaded file matches a published checksum, or quickly produce a digest for documentation or a ticket.

In text mode every digest updates the moment you finish typing — no "convert" button needed. Multi-byte text (Japanese, Chinese, emoji, symbols, …) is encoded as UTF-8 so you do not have to worry about character encoding. Switch to file mode and you can drag-and-drop a file or pick one from the file picker; all four algorithms are computed in parallel.

You can render the output as lowercase hex, UPPERCASE hex, or Base64 with a single click — matching whatever the CLI tool (shasum, md5sum) or HTTP header (Digest:) on the other end expects. The "Compare with expected hash" field accepts a hex or Base64 digest (spaces and colons are stripped automatically) and shows a green ✓ or red ✗ next to each algorithm, making file-integrity checks effortless.

Switch the top-level mode to HMAC and a secret-key field appears, letting you compute HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512. This is handy for verifying webhook signatures or API request signatures by hand. Note that MD5 is disabled in HMAC mode because the browser's built-in Web Crypto API does not implement HMAC-MD5.

Everything — text, files, and HMAC keys — stays inside your browser. Nothing is uploaded to any server. Runs entirely in your browser.

How to use

  1. Pick "Hash" or "HMAC (keyed)" at the top. HMAC mode also reveals a secret-key input below.
  2. Choose "Text" or "File" under "Input." Paste text directly, or drag-and-drop / select a file.
  3. In "Algorithms," tick the digests you want (MD5 / SHA-1 / SHA-256 / SHA-512). All four are enabled by default.
  4. Use "Output format" to switch between lowercase hex, UPPERCASE hex, or Base64. Lowercase hex matches typical CLI output.
  5. To verify integrity, paste the expected value into "Compare with expected hash" — hex or Base64 both work. A ✓ or ✗ appears next to each matching algorithm.
  6. Use the "Copy" button at the top-right of each result card to copy that algorithm's digest to the clipboard.

Use cases

  • Verifying that a downloaded ZIP / DMG / ISO matches the SHA-256 checksum published by the vendor.
  • Learning how Git object IDs (SHA-1) work, or computing the SHA-1 of an object by hand.
  • Comparing the HMAC-SHA256 signature produced by your server against a known-good value when implementing JWT, OAuth, or webhook flows.
  • Sanity-checking AWS Signature V4 or Slack / GitHub webhook signing implementations before writing the production code path.
  • Producing a quick MD5 or SHA-256 of a short string (password, token, URL) to drop into a document or ticket.

Notes

  • Text is encoded as UTF-8 before hashing, so multi-byte characters (Japanese, Chinese, emoji, symbols, …) are handled correctly.
  • Files are loaded into browser memory and hashed locally. The maximum file size is 50 MB; larger files will be rejected.
  • MD5 and SHA-1 have practical collision attacks and are not recommended for security-critical use (password storage, integrity guarantees, digital signatures). For compatibility with existing protocols (checksum verification, Git object IDs, …) they are still useful. Prefer SHA-256 or stronger for new designs.
  • MD5 is unavailable in HMAC mode because the Web Crypto API only supports HMAC over SHA-1 / SHA-256 / SHA-384 / SHA-512.
  • HMAC keys are interpreted as UTF-8 byte sequences. If your key is already encoded in hex or Base64, decode it first before pasting.
  • The Base64 output uses the standard alphabet (A–Z, a–z, 0–9, +, /, with = padding), not the URL-safe variant. This matches `openssl ... -binary | base64`.
  • The compare field is case-insensitive and ignores whitespace and `:` separators. Both hex and Base64 expected values are accepted.

FAQ

Are my text and files sent to a server?
No. All hashing happens inside your browser. You can safely hash access tokens, internal files, or any other sensitive data.
I heard MD5 is no longer safe. Should I still use it?
Not for cryptographic purposes (password storage, integrity guarantees, digital signatures). Practical collisions exist for MD5 and SHA-1. However, they remain useful when you need compatibility with an existing protocol — for example, comparing a published checksum or working with Git object IDs. Prefer SHA-256 or stronger for any new design.
My CLI output (`md5sum`, `shasum -a 256`) doesn't match the value here.
Two common reasons: (1) `echo` adds a trailing newline. Use `echo -n` or `printf` to hash the exact bytes. (2) This tool encodes text as UTF-8 — if your shell or editor uses a different encoding, the underlying bytes differ and the digest will too.
What is the file-size limit?
50 MB. Hashing happens in browser memory, so very large files can also slow down your device. Use a CLI (`shasum -a 256 <file>`) for anything larger.
How is HMAC different from a regular hash?
HMAC (Hash-based Message Authentication Code) combines a secret key with the hash. The same input produces a different digest depending on the key, so HMAC proves not just that the message is unchanged but also that whoever produced it knew the secret. Webhook signatures and API request signing schemes rely on HMAC.
What flavor of Base64 does the output use?
Standard Base64 (A–Z, a–z, 0–9, +, /, with = padding) — not the URL-safe variant. It matches the output of `openssl ... -binary | base64`.