W3docs

String Functions

String to SHA-256 Hash Generator

Compute the SHA-256 hash of any string. 256-bit digest, hex-encoded, runs entirely in your browser.

About the SHA-256 hash generator

This tool computes the SHA-256 hash of any string you paste in. SHA-256 (Secure Hash Algorithm, 256-bit) takes input of any length and always produces a fixed 256-bit digest, shown here as 64 hexadecimal characters. The same input always produces the same hash, but changing even a single character — a case, a space — produces a completely different, unpredictable output. The transformation only runs one way: there's no operation that reconstructs the original text from the hash.

Hashing runs entirely in your browser using the Web Crypto API. The input is first encoded to UTF-8 bytes with TextEncoder, then passed to crypto.subtle.digest('SHA-256', bytes), which returns the 32-byte digest; each byte is converted to a two-digit hex value and the 32 pairs are joined into the 64-character string shown in the output. crypto.subtle.digest is asynchronous by design, but for a string of any typical length it resolves essentially instantly. Nothing is sent over the network — the whole computation happens locally, so pasting sensitive text here doesn't transmit it anywhere.

SHA-256 is useful anywhere you need a short, fixed-size fingerprint of arbitrary data: verifying a downloaded file against a publisher's checksum, generating a stable cache-busting key from file content, deduplicating files by comparing hashes instead of full contents, or confirming two values match without comparing them directly. One thing it's not suited for is hashing passwords. SHA-256 is deliberately fast, which makes brute-forcing short or predictable inputs cheap for an attacker — for passwords, use a purpose-built algorithm like bcrypt, scrypt, or Argon2 instead.

Examples

What the tool computes, in JavaScriptjs
async function sha256(input) {
  const bytes = new TextEncoder().encode(input);
  const digest = await crypto.subtle.digest("SHA-256", bytes);
  return Array.from(new Uint8Array(digest))
    .map((b) => b.toString(16).padStart(2, "0"))
    .join("");
}

await sha256("The quick brown fox jumps over the lazy dog");
// "d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592"

This mirrors what the tool runs internally, verified against its actual output. The same code works unmodified in Node.js — crypto.subtle is available globally there too.

Verify the same hash from a terminalbash
$ printf 'The quick brown fox jumps over the lazy dog' | shasum -a 256
d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592  -

Use printf, not echo — echo appends a trailing newline by default, which changes the hash to a different value than this tool produces for the same visible text.

Same hash in PHPphp
<?php
echo hash('sha256', 'The quick brown fox jumps over the lazy dog');
// "d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592"

PHP's hash() with the 'sha256' algorithm name returns the same lowercase hex digest as this tool.

Frequently asked questions

What is SHA-256 used for?

SHA-256 verifies that data hasn't changed — comparing a downloaded file against a publisher's checksum, generating a cache-busting key from file content, or fingerprinting a config file or commit. It's also a core building block in TLS certificates, digital signatures, and Bitcoin's proof-of-work. It is not, by itself, a good way to store passwords.

Can a SHA-256 hash be reversed or decrypted?

No — SHA-256 is a one-way hash function, not encryption, so there's no key or algorithm that turns a digest back into the original text. Sites that claim to 'decrypt' a SHA-256 hash are really just looking it up in a precomputed table of common inputs, which only works if the original text was short or guessable.

What's the difference between SHA-256 and MD5?

SHA-256 produces a 256-bit digest (64 hex characters); MD5 produces a 128-bit digest (32 hex characters) and has been considered broken for security purposes since 2004. Use SHA-256 for anything security-related — MD5 is only appropriate for non-security tasks like a quick checksum.

Why doesn't my hash match the one from another tool?

The most common cause is a trailing newline: echo 'text' | shasum -a 256 appends a newline character that printf 'text' | shasum -a 256 does not, so the two produce different hashes for text that looks identical. Leading or trailing whitespace and character encoding matter too — this tool always encodes your input as UTF-8 before hashing.

Can this tool hash a file instead of text?

No — it hashes whatever text you paste into the input field, not file contents. To hash a file from the command line, use shasum -a 256 file.txt on macOS/Linux or certutil -hashfile file.txt SHA256 on Windows.