Why should I hash API keys before storing them?

If your database is compromised, an attacker who finds plaintext API keys can impersonate any user immediately. Storing only the hash means the attacker still needs to reverse the hash before they can use any key. For high-entropy randomly generated keys, even a fast hash like SHA-256 gives significant protection because brute-forcing 128 bits of randomness is computationally infeasible.

When should I use PBKDF2 instead of SHA-256?

Use PBKDF2 when the API key has lower entropy or when users might reuse their passwords as keys. PBKDF2 deliberately slows down the hashing to 100,000 iterations, making GPU-based brute-force attacks thousands of times slower. For high-entropy randomly generated keys such as 32-byte random tokens, SHA-256 is generally sufficient and much faster to verify.

What is a salt and why does it matter?

A salt is a unique random value mixed into the key before hashing. Without a salt, two users with the same API key would produce identical hashes, and precomputed rainbow tables could reverse common keys instantly. With a unique salt per key, every hash is different even for identical inputs, and rainbow tables become useless.

What is timingSafeEqual and why is it used in the snippet?

A naive string comparison like === returns false as soon as it finds the first mismatched character. An attacker who can measure how long a comparison takes can infer how many characters match, gradually guessing the hash byte by byte. timingSafeEqual always compares the full buffer regardless of where the mismatch occurs, eliminating this timing side-channel.

Can I use this for password hashing?

For passwords, prefer bcrypt, scrypt, or Argon2 rather than PBKDF2, as these are specifically designed for password storage with better memory-hardness properties. PBKDF2 is acceptable for API keys and tokens but is not the recommended choice for user passwords. The tool is designed for API key and secret storage.

Is my API key sent to any server?

No. All hashing runs entirely in your browser using the Web Crypto API. Nothing is transmitted to any server. Your key never leaves your device.

What does the stored record format look like?

For PBKDF2 the record is a single string in the format pbkdf2:100000:saltHex:hashHex. This self-describing format includes the algorithm, iteration count, salt, and hash, so you can always verify without needing separate columns. For SHA-256 and SHA-512 with a salt, you should store the hash and salt in separate database columns.

How do I verify a key when a user authenticates?

Hash the incoming key with the same algorithm and salt you used when you stored it, then compare the result to the stored hash using timingSafeEqual. The Node.js verification snippet generated by this tool shows the exact code to use. For PBKDF2 you parse the iteration count and salt from the stored record so the verification is self-contained.

Should I use a global salt or a per-key salt?

Always use a per-key salt. A global salt prevents rainbow table attacks but means identical keys still produce identical hashes, and a leak of the global salt weakens all hashes at once. A unique salt per key ensures every hash is independent and an attacker must brute-force each key separately.

What key length is recommended for generated API keys?

At minimum 128 bits, which is 16 random bytes encoded as 32 hex characters or a 22-character base64url string. 256 bits (32 bytes, 44-character base64url) is the industry standard for API keys. Keys of this length have so much entropy that even SHA-256 without a salt offers strong protection against brute-force.

Loading tool...

How to Use API Key Hasher

How to Use the API Key Hasher

Step 1: Paste Your API Key

Enter or paste the API key you want to hash. Use the eye icon to toggle visibility. You can also click an example preset to test with a realistic-looking key.

Step 2: Choose an Algorithm

Algorithm	Speed	Output	Best for
SHA-256	Fast	64 hex chars	Checksums, lookup indices, low-risk keys
SHA-512	Fast	128 hex chars	Longer keys, signing secrets, higher security
PBKDF2	Slow (safe)	64 hex chars	Credentials needing offline attack protection

SHA-256 and SHA-512 are fast cryptographic hash functions. They are suitable when your main threat model is a database breach exposing stored keys, and the keys themselves have high entropy (randomly generated). They do not protect against GPU-based brute-force attacks if the key has low entropy.

PBKDF2 applies 100,000 iterations of HMAC-SHA256 to derive the hash. The high iteration count makes GPU cracking prohibitively expensive, similar to how bcrypt protects passwords. Use PBKDF2 when the API key might be reused as a password or when your keys have lower entropy.

Step 3: Add a Salt (Optional for SHA, Auto-generated for PBKDF2)

A salt is a random value mixed into the input before hashing. It prevents two identical keys from producing the same hash and defeats precomputed rainbow table attacks.

For SHA-256 and SHA-512, the salt is optional. If provided, the tool hashes salt:apiKey and you store the salt separately.
For PBKDF2, a salt is mandatory. If you leave the field blank, the tool generates a cryptographically random 16-byte salt automatically.

Step 4: Click Hash Key

The tool outputs:

The raw hex hash
The full stored record string (algorithm prefix + salt + hash)
A Node.js verification snippet using timingSafeEqual

Step 5: Store and Verify

Store the hash in your database, never the original key. When a user presents a key for authentication, hash it with the same algorithm and salt, then compare using timingSafeEqual to prevent timing attacks.

Storage Format Reference

Algorithm	Format
SHA-256 (no salt)	sha256:hexHash
SHA-256 (with salt)	sha256:salt:hexHash
SHA-512 (no salt)	sha512:hexHash
SHA-512 (with salt)	sha512:salt:hexHash
PBKDF2	pbkdf2:100000:saltHex:hashHex

Frequently Asked Questions

Most Viewed Tools

🔐

TOTP Code Generator

2,924 views

Generate time-based one-time passwords from a TOTP secret key. Enter your base32 secret, choose a period and digit length, and get the current and next codes with a live countdown timer. Useful for testing and debugging 2FA integrations.

API Key Hasher

How to Use API Key Hasher

How to Use the API Key Hasher

Step 1: Paste Your API Key

Step 2: Choose an Algorithm

Step 3: Add a Salt (Optional for SHA, Auto-generated for PBKDF2)

Step 4: Click Hash Key

Step 5: Store and Verify

Storage Format Reference

Frequently Asked Questions

Why should I hash API keys before storing them?

When should I use PBKDF2 instead of SHA-256?

What is a salt and why does it matter?

What is timingSafeEqual and why is it used in the snippet?

Can I use this for password hashing?

Is my API key sent to any server?

What does the stored record format look like?

How do I verify a key when a user authenticates?

Should I use a global salt or a per-key salt?

What key length is recommended for generated API keys?

Most Viewed Tools

TOTP Code Generator

Secret and Credential Scanner

Password Entropy Calculator

Content Security Policy Generator

Screen Size Converter

SSH Key Generator

PGP Key Generator

DPI Calculator

Related Privacy & Security Tools

PGP Key Generator

TOTP Code Generator

OAuth 2.0 Scope Builder

Password Entropy Calculator

Content Security Policy Generator

SSH Key Generator

Secret and Credential Scanner

API Key Generator

Share Your Feedback