Hash Verifier
Paste your text and a known hash — the tool auto-detects the algorithm and tells you instantly whether they match.
Free · No credit card · 50 credits/day
How it works
Two inputs, one answer.
Paste your text
Enter the original text — a file checksum source, a config value, an API key, any string you want to verify.
Paste the known hash
Enter the hash you want to compare against. The algorithm is detected automatically from the length of the hash string.
Get an instant verdict
The tool re-hashes your text with the detected algorithm and compares the result using constant-time comparison, then shows match or no match.
Algorithm auto-detection
The algorithm is inferred from the hex length of your hash — no dropdown needed.
| Algorithm | Hex characters | Bit length | Security |
|---|---|---|---|
| MD5 | 32 | 128 bits | Broken |
| SHA-1 | 40 | 160 bits | Broken |
| SHA-256 | 64 | 256 bits | Secure |
| SHA-384 | 96 | 384 bits | Secure |
| SHA-512 | 128 | 512 bits | Secure |
If your hash length doesn't match any of these, the tool returns an error with the expected lengths.
When would you verify a hash?
Hash verification shows up everywhere integrity matters.
Software download verification
Developers publish SHA-256 checksums alongside their releases. Paste the file content and the published hash — if they match, the download hasn't been tampered with.
API key and token integrity
Verify that an API key or secret token hasn't been corrupted in transit or storage by comparing it against a known hash of the original value.
Config file auditing
Hash a known-good config file on deploy and store the hash. Later, re-hash and compare to detect unauthorised changes to your configuration.
Webhook payload verification
Services like GitHub and Stripe sign webhook payloads with HMAC-SHA256. Verify the signature matches the payload before trusting the request.
Database record integrity
Store a hash of sensitive fields. On read, re-hash and compare to detect silent data corruption or tampering at the storage layer.
Build artifact comparison
Confirm that a compiled binary or package uploaded to a registry matches the hash produced during CI — catching supply-chain substitutions.
Constant-time comparison
We compare hashes using PHP's hash_equals(), which always takes the same amount of time regardless of where the strings differ. A naive === comparison leaks information through timing differences — attackers can use this to guess hash values one character at a time. hash_equals() eliminates that side channel entirely.
Frequently asked questions
Related security tools
Generate and protect hashes with these companion tools.
Verify a hash now
Free account. 50 credits per day. Access to 75+ tools instantly.
Create free account →