Hashing is everywhere — password storage, data integrity checks, cache keys, digital signatures. ApiCrate's hash API gives you access to multiple algorithms through a single, consistent interface.
Available Algorithms¶
| Algorithm | Use Case | Speed |
|---|---|---|
| MD5 | Checksums, cache keys | Very fast |
| SHA-256 | Data integrity, signatures | Fast |
| SHA-512 | High-security integrity | Fast |
| bcrypt | Password storage | Intentionally slow |
| argon2 | Modern password storage | Intentionally slow |
Quick Checksums¶
For non-security use cases (checksums, cache keys, deduplication):
curl -X POST https://api.apicrate.io/api/v1/hash/sha256 \
-H "X-API-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"input": "hello world"}'
{
"status": "ok",
"data": {
"algorithm": "sha256",
"hash": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
}
}
Password Hashing¶
For passwords, never use MD5 or SHA. Use bcrypt or argon2:
import requests
# Hash a password
resp = requests.post(
"https://api.apicrate.io/api/v1/hash/argon2id",
headers={"X-API-Key": "YOUR_KEY"},
json={
"input": "correct-horse-battery-staple",
},
)
result = resp.json()["data"]
hashed = result["hash"]
print(hashed)
# $argon2id$v=19$m=65536,t=3,p=4$...
print(result["algorithm"]) # argon2id
Why offload hashing to an API? Password hashing algorithms like argon2 are CPU-intensive by design. Offloading to ApiCrate keeps your application server responsive, especially under high concurrency.
Verifying Passwords¶
For digest hashes (MD5, SHA-256, SHA-512), verification is straightforward — hash the input again and compare:
resp = requests.post(
"https://api.apicrate.io/api/v1/hash/sha256",
headers={"X-API-Key": "YOUR_KEY"},
json={"input": user_input},
)
is_match = resp.json()["data"]["hash"] == stored_hash
For password hashes (bcrypt, argon2), each call produces a different hash because of random salting. You cannot re-hash and compare. Instead, use a local library like argon2-cffi or bcrypt to verify against the stored hash — the hash string contains the salt and parameters needed for verification.
Security Notes¶
- ApiCrate does not store your passwords or hashes — all processing is stateless
- All API communication is encrypted via TLS
- bcrypt and argon2 use secure default parameters — no tuning required
- Rate limiting protects against brute-force abuse
Next Up¶
Part 3 of this series covers bulk operations — batching requests, handling errors, and optimizing quota usage.