🔐

Hash Password

Hash passwords using bcrypt, argon2, or scrypt with configurable parameters.

POST 1 credit /v1/auth/hash-password

curl -X POST "https://auth.toolkitapi.io/v1/auth/hash-password" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "password": "my-secure-password",
    "algorithm": "bcrypt",
    "rounds": 12
  }'

import httpx

resp = httpx.post(
    "https://auth.toolkitapi.io/v1/auth/hash-password",
    json={
    "password": "my-secure-password",
    "algorithm": "bcrypt",
    "rounds": 12
  },
)
print(resp.json())

const resp = await fetch("https://auth.toolkitapi.io/v1/auth/hash-password", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    "password": "my-secure-password",
    "algorithm": "bcrypt",
    "rounds": 12
  }),
});
const data = await resp.json();
console.log(data);

# See curl example

Response 200 OK

{
  "hash": "$2b$12$LJ3m4ys3Lg3Lg3Lg3Lg3LuKvYfW8XYZ1234567890abcdefghijk",
  "algorithm": "bcrypt",
  "parameters": {"cost": 12}
}

Try It Live

Description

Hash passwords using bcrypt, argon2, or scrypt with configurable parameters.

How to Use

1

1. Set the `password` field to the plaintext password to hash.

2

2. Choose an `algorithm`: `bcrypt` (default), `argon2`, or `scrypt`.

3

3. Optionally set `rounds` to control the cost factor (algorithm-specific defaults apply).

4

4. Store the returned `hash` string in your database. It contains everything needed for verification.

About This Tool

The Hash Password endpoint securely hashes plaintext passwords using industry-standard algorithms: bcrypt, argon2id, or scrypt. These are purpose-built password hashing functions that incorporate salting, key stretching, and tunable cost parameters to resist brute-force and GPU-based attacks.

Unlike general-purpose hash functions (SHA-256, etc.), password hashing algorithms are intentionally slow. The `rounds` parameter controls this cost — higher values increase security but also increase computation time. The salt is generated automatically and embedded in the hash string.

The resulting hash is self-describing: it contains the algorithm identifier, parameters, salt, and digest in a single string, so the verify-password endpoint can validate any hash without additional metadata.

Why Use This Tool

User registration — Hash passwords before storing in your user database
Password rotation — Re-hash passwords with updated cost parameters
Migration — Hash plaintext passwords found in legacy systems
Testing — Generate known password hashes for integration tests
Compliance — Meet password storage requirements for OWASP, NIST, and PCI DSS

Frequently Asked Questions

Which algorithm should I use?

`argon2` (specifically argon2id) is the current recommendation from OWASP and won the Password Hashing Competition. `bcrypt` is battle-tested and widely supported. `scrypt` is memory-hard, making it resistant to ASIC attacks. All three are excellent choices.

What rounds value should I use for bcrypt?

The default of 12 is a good starting point. Each increment doubles the computation time. Aim for a hash time of 100–250ms on your hardware — increase rounds as hardware gets faster.

Do I need to manage salts separately?

No. The salt is automatically generated and embedded in the hash string. The verify-password endpoint extracts it automatically during verification.

What does the parameters field contain?

For bcrypt: `{"cost": 12}`. For argon2: `{"time_cost": 3, "memory_cost": 65536, "parallelism": 4, "type": "argon2id"}`. For scrypt: `{"n": 16384, "r": 8, "p": 1, "salt_length": 16, "dk_length": 32}`.

Start using Hash Password now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs