Hash API

Cryptographic hashing as a simple API call

Compute message digests and password hashes without installing cryptographic libraries. Supports MD5, SHA-1/256/512, bcrypt, scrypt, and Argon2id with tunable security parameters.

Message Digests

Compute MD5, SHA-1, SHA-256, and SHA-512 hashes instantly. Ideal for checksums, data integrity verification, and content fingerprinting.

Password Hashing (KDFs)

Generate bcrypt, scrypt, and Argon2id hashes with random salts and configurable work factors. OWASP-recommended algorithms out of the box.

Tunable Security Parameters

Adjust rounds, memory cost, parallelism, and other parameters to balance security strength against computation time for your use case.

Zero Dependencies

No need to install OpenSSL bindings or cryptographic libraries in your application. Hash anything with a single HTTP call.

Use Cases

Built for real-world scenarios

Quick Start

Start using this API in seconds

Quick Start

# SHA-256 digest
$ curl -X POST https://api.apicrate.io/api/v1/hash/sha256 \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"input": "hello world"}'

# Response
{
  "status": "ok",
  "data": {
    "hash": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9",
    "algorithm": "sha256"
  }
}
import requests

# Argon2id password hash
response = requests.post(
    "https://api.apicrate.io/api/v1/hash/argon2id",
    headers={"X-API-Key": "YOUR_API_KEY"},
    json={"input": "my-secure-password"},
)

data = response.json()
print(data["data"]["hash"])  # "$argon2id$v=19$m=65536,t=3,p=4$..."
// bcrypt hash with custom rounds
const res = await fetch("https://api.apicrate.io/api/v1/hash/bcrypt", {
  method: "POST",
  headers: {
    "X-API-Key": "YOUR_API_KEY",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({ input: "my-secure-password", rounds: 12 }),
});

const { data } = await res.json();
console.log(data.hash);  // "$2b$12$..."

File Integrity Check

# MD5 checksum for quick content fingerprinting
$ curl -X POST https://api.apicrate.io/api/v1/hash/md5 \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"input": "invoice-2026-003.pdf contents here"}'

# Response
{
  "status": "ok",
  "data": {
    "hash": "5eb63bbbe01eeed093cb22bb8f5acdc3",
    "algorithm": "md5"
  }
}
import requests

# SHA-512 for stronger integrity verification
response = requests.post(
    "https://api.apicrate.io/api/v1/hash/sha512",
    headers={"X-API-Key": "YOUR_API_KEY"},
    json={"input": "document contents to verify"},
)

data = response.json()
print(data["data"]["algorithm"])  # "sha512"
print(len(data["data"]["hash"]))  # 128 hex characters
// SHA-1 digest for Git-style object addressing
const res = await fetch("https://api.apicrate.io/api/v1/hash/sha1", {
  method: "POST",
  headers: {
    "X-API-Key": "YOUR_API_KEY",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({ input: "blob 12\0hello world\n" }),
});

const { data } = await res.json();
console.log(data.hash);  // 40-character hex string

scrypt Password Hash

# scrypt with custom cost parameters
$ curl -X POST https://api.apicrate.io/api/v1/hash/scrypt \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"input": "user-password", "cost_factor": 16384, "block_size": 8, "parallelism": 1}'

# Response
{
  "status": "ok",
  "data": {
    "hash": "a3f5b7c9d1e2...",
    "algorithm": "scrypt",
    "params": {
      "cost_factor": 16384,
      "block_size": 8,
      "parallelism": 1
    }
  }
}
import requests

# scrypt with higher memory cost for sensitive data
response = requests.post(
    "https://api.apicrate.io/api/v1/hash/scrypt",
    headers={"X-API-Key": "YOUR_API_KEY"},
    json={
        "input": "high-value-secret",
        "cost_factor": 32768,
        "block_size": 8,
        "parallelism": 2,
    },
)

result = response.json()["data"]
print(result["hash"])
print(result["params"])  # {"cost_factor": 32768, "block_size": 8, "parallelism": 2}
// scrypt with default parameters
const res = await fetch("https://api.apicrate.io/api/v1/hash/scrypt", {
  method: "POST",
  headers: {
    "X-API-Key": "YOUR_API_KEY",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({ input: "my-secure-password" }),
});

const { data } = await res.json();
console.log(data.algorithm);  // "scrypt"
console.log(data.params);     // { cost_factor: 16384, block_size: 8, parallelism: 1 }

Tuning Argon2id for High Security

# Argon2id with increased memory and iterations
$ curl -X POST https://api.apicrate.io/api/v1/hash/argon2id \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"input": "admin-password", "time_cost": 5, "memory_cost": 131072, "parallelism": 4}'

# Response
{
  "status": "ok",
  "data": {
    "hash": "$argon2id$v=19$m=131072,t=5,p=4$...",
    "algorithm": "argon2id",
    "params": {
      "time_cost": 5,
      "memory_cost": 131072,
      "parallelism": 4
    }
  }
}
import requests

# Compare default vs hardened Argon2id settings
for label, params in [
    ("default", {}),
    ("hardened", {"time_cost": 5, "memory_cost": 131072}),
]:
    response = requests.post(
        "https://api.apicrate.io/api/v1/hash/argon2id",
        headers={"X-API-Key": "YOUR_API_KEY"},
        json={"input": "my-password", **params},
    )
    result = response.json()["data"]
    print(f"{label}: m={result['params']['memory_cost']}, t={result['params']['time_cost']}")
    # default:  m=65536, t=3
    # hardened: m=131072, t=5
// Argon2id with OWASP minimum recommendations
const res = await fetch("https://api.apicrate.io/api/v1/hash/argon2id", {
  method: "POST",
  headers: {
    "X-API-Key": "YOUR_API_KEY",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    input: "user-password",
    time_cost: 3,
    memory_cost: 65536,
    parallelism: 4,
  }),
});

const { data } = await res.json();
console.log(data.hash);    // "$argon2id$v=19$m=65536,t=3,p=4$..."
console.log(data.params);  // { time_cost: 3, memory_cost: 65536, parallelism: 4 }
Endpoints

Available endpoints

POST /api/v1/hash/md5 Compute MD5 hash
POST /api/v1/hash/sha1 Compute SHA-1 hash
POST /api/v1/hash/sha256 Compute SHA-256 hash
POST /api/v1/hash/sha512 Compute SHA-512 hash
POST /api/v1/hash/bcrypt Hash with bcrypt
POST /api/v1/hash/scrypt Hash with scrypt
POST /api/v1/hash/argon2id Hash with Argon2id
FAQ

Frequently asked questions

What is the maximum input size?

All hash endpoints accept input up to 256 KB in size.

Are KDF hashes deterministic?

No. KDF endpoints (bcrypt, scrypt, Argon2id) generate a random salt on every call, so repeated requests with the same input produce different hashes. Message digest endpoints (MD5, SHA) are deterministic.

Which algorithm should I use for passwords?

Argon2id is the OWASP-recommended choice for new applications. bcrypt is also widely supported and battle-tested. Avoid MD5 and SHA for password storage.

Can I verify a password against an existing hash?

The current API generates hashes only. Verification should be done client-side using the same algorithm library.

Ready to start building?

Create a free account and start making requests in under a minute.

Sign Up Free → View Documentation