Skip to main content
The Crypto API provides cryptographic functionality including hashing, signing, encryption, and random number generation.

crypto

Global crypto object.

Methods

getRandomValues()
method
Generate cryptographically strong random values.
getRandomValues<T extends ArrayBufferView>(
  array: T
): T
Fills the provided array with random values.
randomUUID()
method
Generate a random UUID (version 4).
randomUUID(): string
Returns a string like "550e8400-e29b-41d4-a716-446655440000".

Properties

subtle
SubtleCrypto
Interface for advanced cryptographic operations.

SubtleCrypto

Provides low-level cryptographic operations.

Digest

digest()
method
Generate a digest (hash) of data.
digest(
  algorithm: AlgorithmIdentifier,
  data: BufferSource
): Promise<ArrayBuffer>
Supported algorithms:
  • SHA-1: 160-bit SHA-1 hash (not recommended for security)
  • SHA-256: 256-bit SHA-2 hash
  • SHA-384: 384-bit SHA-2 hash
  • SHA-512: 512-bit SHA-2 hash
  • MD5: 128-bit MD5 hash (not recommended for security)

Encryption/Decryption

encrypt()
method
Encrypt data.
encrypt(
  algorithm: AlgorithmIdentifier,
  key: CryptoKey,
  data: BufferSource
): Promise<ArrayBuffer>
Supported algorithms:
  • AES-CBC: AES in Cipher Block Chaining mode
  • AES-CTR: AES in Counter mode
  • AES-GCM: AES in Galois/Counter mode
  • RSA-OAEP: RSA with OAEP padding
decrypt()
method
Decrypt data.
decrypt(
  algorithm: AlgorithmIdentifier,
  key: CryptoKey,
  data: BufferSource
): Promise<ArrayBuffer>

Signing/Verification

sign()
method
Generate a digital signature.
sign(
  algorithm: AlgorithmIdentifier,
  key: CryptoKey,
  data: BufferSource
): Promise<ArrayBuffer>
Supported algorithms:
  • HMAC: Hash-based Message Authentication Code
  • RSASSA-PKCS1-v1_5: RSA signature with PKCS#1 v1.5 padding
  • RSA-PSS: RSA signature with PSS padding
  • ECDSA: Elliptic Curve Digital Signature Algorithm
  • Ed25519: EdDSA signature using Curve25519
verify()
method
Verify a digital signature.
verify(
  algorithm: AlgorithmIdentifier,
  key: CryptoKey,
  signature: BufferSource,
  data: BufferSource
): Promise<boolean>

Key management

generateKey()
method
Generate a new cryptographic key or key pair.
generateKey(
  algorithm: AlgorithmIdentifier,
  extractable: boolean,
  keyUsages: KeyUsage[]
): Promise<CryptoKey | CryptoKeyPair>
importKey()
method
Import a key from external data.
importKey(
  format: KeyFormat,
  keyData: BufferSource | JsonWebKey,
  algorithm: AlgorithmIdentifier,
  extractable: boolean,
  keyUsages: KeyUsage[]
): Promise<CryptoKey>
Key formats:
  • raw: Raw key data
  • pkcs8: PKCS#8 private key
  • spki: SubjectPublicKeyInfo public key
  • jwk: JSON Web Key
exportKey()
method
Export a key to external data.
exportKey(
  format: KeyFormat,
  key: CryptoKey
): Promise<ArrayBuffer | JsonWebKey>
wrapKey()
method
Wrap (encrypt) a key using another key.
wrapKey(
  format: KeyFormat,
  key: CryptoKey,
  wrappingKey: CryptoKey,
  wrapAlgorithm: AlgorithmIdentifier
): Promise<ArrayBuffer>
unwrapKey()
method
Unwrap (decrypt) a key using another key.
unwrapKey(
  format: KeyFormat,
  wrappedKey: BufferSource,
  unwrappingKey: CryptoKey,
  unwrapAlgorithm: AlgorithmIdentifier,
  unwrappedKeyAlgorithm: AlgorithmIdentifier,
  extractable: boolean,
  keyUsages: KeyUsage[]
): Promise<CryptoKey>

Key derivation

deriveBits()
method
Derive bits from a base key.
deriveBits(
  algorithm: AlgorithmIdentifier,
  baseKey: CryptoKey,
  length: number
): Promise<ArrayBuffer>
Supported algorithms:
  • PBKDF2: Password-Based Key Derivation Function 2
  • HKDF: HMAC-based Key Derivation Function
  • ECDH: Elliptic Curve Diffie-Hellman
  • X25519: Curve25519 Diffie-Hellman
deriveKey()
method
Derive a key from a base key.
deriveKey(
  algorithm: AlgorithmIdentifier,
  baseKey: CryptoKey,
  derivedKeyAlgorithm: AlgorithmIdentifier,
  extractable: boolean,
  keyUsages: KeyUsage[]
): Promise<CryptoKey>

CryptoKey

Represents a cryptographic key.

Properties

type
'secret' | 'private' | 'public'
Key type.
extractable
boolean
Whether the key can be exported.
algorithm
KeyAlgorithm
Algorithm the key is used with.
usages
KeyUsage[]
Operations the key can be used for.

Key usages

encrypt
KeyUsage
Key can be used to encrypt data.
decrypt
KeyUsage
Key can be used to decrypt data.
sign
KeyUsage
Key can be used to sign data.
verify
KeyUsage
Key can be used to verify signatures.
deriveKey
KeyUsage
Key can be used to derive other keys.
deriveBits
KeyUsage
Key can be used to derive bits.
wrapKey
KeyUsage
Key can be used to wrap other keys.
unwrapKey
KeyUsage
Key can be used to unwrap other keys.

DigestStream

Streaming hash computation (workerd extension). 
new DigestStream(algorithm: string)
A WritableStream that computes a digest as data is written.
digest
Promise<ArrayBuffer>
Promise that resolves to the computed digest when the stream is closed.

Example usage

// Generate random values
const array = new Uint8Array(16);
crypto.getRandomValues(array);

// Generate UUID
const uuid = crypto.randomUUID();

// Hash data
const data = new TextEncoder().encode('Hello, World!');
const hashBuffer = await crypto.subtle.digest('SHA-256', data);
const hashArray = Array.from(new Uint8Array(hashBuffer));
const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');

// Generate AES key
const key = await crypto.subtle.generateKey(
  { name: 'AES-GCM', length: 256 },
  true,
  ['encrypt', 'decrypt']
);

// Encrypt data
const iv = crypto.getRandomValues(new Uint8Array(12));
const encrypted = await crypto.subtle.encrypt(
  { name: 'AES-GCM', iv },
  key,
  data
);

// Decrypt data
const decrypted = await crypto.subtle.decrypt(
  { name: 'AES-GCM', iv },
  key,
  encrypted
);

// Generate RSA key pair
const keyPair = await crypto.subtle.generateKey(
  {
    name: 'RSA-PSS',
    modulusLength: 2048,
    publicExponent: new Uint8Array([1, 0, 1]),
    hash: 'SHA-256',
  },
  true,
  ['sign', 'verify']
);

// Sign data
const signature = await crypto.subtle.sign(
  { name: 'RSA-PSS', saltLength: 32 },
  keyPair.privateKey,
  data
);

// Verify signature
const valid = await crypto.subtle.verify(
  { name: 'RSA-PSS', saltLength: 32 },
  keyPair.publicKey,
  signature,
  data
);

// HMAC
const hmacKey = await crypto.subtle.generateKey(
  { name: 'HMAC', hash: 'SHA-256' },
  true,
  ['sign', 'verify']
);

const mac = await crypto.subtle.sign(
  'HMAC',
  hmacKey,
  data
);

// Streaming digest
const digestStream = new DigestStream('SHA-256');
const writer = digestStream.getWriter();
await writer.write(data);
await writer.close();
const digest = await digestStream.digest;

Build docs developers (and LLMs) love

Get started for freeTalk to us