SHA-256 Hash Generator
Generate a SHA-256 (SHA-2, 256-bit) digest from any text or file. Hex, Base64, and Base64URL output — all computed locally in your browser.
256-bit (32-byte) digest from the SHA-2 family. The default secure hash for signatures, checksums, and content addressing.
Hashing runs locally using the browser's SubtleCrypto API. Your text and files never leave your device.
Cryptographically secure
SHA-256 has no known practical collisions and is the default for TLS, JWT, Bitcoin, and modern digital signatures.
Instant, local hashing
Runs in your browser using the native SubtleCrypto API. Hashes update as you type — no roundtrip, no upload.
Three output encodings
Switch between Hex (64 chars), Base64 (with padding), and Base64URL (URL- and JWT-safe) without recomputing.
What is SHA-256?
SHA-256 is the 256-bit member of the SHA-2 family, published by NIST in FIPS 180-4. It takes any input — a single character, a multi-gigabyte file, or anything in between — and produces a fixed 32-byte digest. The same input always produces the same digest; a one-bit change produces a completely different digest (the avalanche effect).
When to use SHA-256
Use SHA-256 when you need a secure, collision-resistant hash: verifying downloads against a published checksum, signing JWTs with HS256/RS256/ES256, computing Git commit IDs in SHA-256 mode, fingerprinting TLS certificates, or content-addressing files in a storage system. Do not use raw SHA-256 to store passwords — use a slow KDF like bcrypt, scrypt, or Argon2.
Hex vs Base64 vs Base64URL
A SHA-256 digest is 32 raw bytes — but bytes are rarely displayed directly. Hex encoding gives a 64-character lowercase string and is the most common format for checksums and Git. Base64 packs the same bytes into 44 characters (with = padding) and is common in HTTP headers and binary protocols. Base64URL is identical but replaces +// with -/_ and drops padding — required for JWT signatures and URL-safe IDs.
Frequently asked questions
›What is SHA-256?
SHA-256 is a cryptographic hash function from the SHA-2 family, designed by the NSA and published by NIST in 2001. It maps any input to a fixed 256-bit (32-byte) digest, usually displayed as 64 hexadecimal characters.
›What is SHA-256 used for?
Digital signatures, TLS/SSL certificates, JWT signing (HS256, RS256, ES256), Bitcoin and many other blockchains, Git's newer object format, file integrity checksums, password hashing inputs (as part of bcrypt/scrypt/PBKDF2/Argon2 schemes), and content-addressable storage.
›Is SHA-256 secure?
Yes. As of 2026, SHA-256 has no known practical collision or preimage attacks and is considered cryptographically secure for the foreseeable future. It is the default secure hash for almost every modern protocol.
›How is SHA-256 different from MD5 and SHA-1?
MD5 (128-bit) and SHA-1 (160-bit) are broken — collisions can be generated in practice — and must not be used for security. SHA-256 produces a larger 256-bit digest and is collision-resistant. Use MD5/SHA-1 only for non-security checksums or legacy compatibility.
›What is the difference between SHA-256 and SHA-2?
SHA-2 is the family; SHA-256 is one member. SHA-2 includes SHA-224, SHA-256, SHA-384, and SHA-512. The number is the digest size in bits. SHA-256 is the most widely deployed variant.
›Is SHA-256 the same as SHA-3?
No. SHA-3 (Keccak) is a separate standard with a different internal construction (sponge function vs. Merkle–Damgård). Both are secure. SHA-256 is far more common because it predates SHA-3 and is required by many existing protocols.
›Should I use SHA-256 to hash passwords?
Not directly. Raw SHA-256 is too fast — an attacker can try billions of guesses per second on a GPU. Use a password-hashing function like bcrypt, scrypt, Argon2, or PBKDF2 (which uses SHA-256 internally with many iterations and a salt).
›Why do hex, Base64, and Base64URL outputs look different?
They encode the same 32 raw bytes differently. Hex is 64 characters using 0-9 and a-f. Base64 is 44 characters (with padding) using A-Z, a-z, 0-9, +, /. Base64URL replaces + and / with - and _ and removes padding — common in JWTs and URLs.
›Is my input uploaded to a server?
No. All hashing runs in your browser using the native SubtleCrypto API. Your text and files never leave your device — safe for proprietary, internal, or sensitive content.
More free developer tools
Part of our growing tool belt — all client-side, all free.
MD5, SHA-1 & SHA-256 Hash Generator
Generate cryptographic hashes from text, locally and instantly.
Open toolSHA-512 Hash Generator
Generate SHA-512 hashes from text or files — hex, Base64, and Base64URL output, all in your browser.
Open toolBcrypt Hash Generator & Verifier
Generate and verify bcrypt password hashes with a tunable cost factor — all in your browser.
Open tool