Cryptographic utilities for backend developers — hash passwords, generate and verify JWTs, create TOTP 2FA secrets, encrypt/decrypt data with AES-256-GCM, generate secure random tokens and asymmetric key pairs, and compute HMAC signatures.
Base URL¶
https://auth.toolkitapi.io/v1/
Quick Start¶
Hash a password in one call:
curl -X POST "https://auth.toolkitapi.io/v1/auth/hash-password" \
-H "X-API-Key: YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"password": "my-secret-password"}'
import requests
r = requests.post(
"https://auth.toolkitapi.io/v1/auth/hash-password",
headers={"X-API-Key": "YOUR_KEY"},
json={"password": "my-secret-password"},
)
print(r.json()["hash"])
const r = await fetch("https://auth.toolkitapi.io/v1/auth/hash-password", {
method: "POST",
headers: { "X-API-Key": "YOUR_KEY", "Content-Type": "application/json" },
body: JSON.stringify({ password: "my-secret-password" }),
});
const data = await r.json();
console.log(data.hash);
Browse all auth endpoints →
Endpoints¶
Passwords¶
| Method |
Endpoint |
Description |
POST |
/v1/auth/hash-password |
Hash a password with bcrypt, argon2, or scrypt |
POST |
/v1/auth/verify-password |
Verify a password against a hash (algorithm auto-detected) |
POST |
/v1/auth/password-strength |
Analyse password strength using zxcvbn |
GET |
/v1/auth/generate-password |
Generate cryptographically secure random passwords |
JWT¶
| Method |
Endpoint |
Description |
POST |
/v1/auth/jwt-generate |
Generate a signed JWT (HS256/RS256/ES256 and variants) |
POST |
/v1/auth/jwt-verify |
Verify a JWT signature and decode claims |
POST |
/v1/auth/jwt-decode |
Decode a JWT without verifying the signature |
TOTP / 2FA¶
| Method |
Endpoint |
Description |
GET |
/v1/auth/totp-generate |
Generate a TOTP secret, otpauth URI, and QR code |
POST |
/v1/auth/totp-verify |
Verify a TOTP code against a shared secret |
Keys & Encryption¶
| Method |
Endpoint |
Description |
GET |
/v1/auth/generate-key |
Generate an API key, UUID v4, nanoid, or secret token |
POST |
/v1/auth/generate-keypair |
Generate an RSA or EC keypair as PEM |
POST |
/v1/auth/encrypt |
Encrypt plaintext with AES-256-GCM |
POST |
/v1/auth/decrypt |
Decrypt AES-256-GCM ciphertext |
Hashing & Encoding¶
| Method |
Endpoint |
Description |
POST |
/v1/auth/hash |
Hash a string (MD5, SHA-1, SHA-256/512, SHA3, BLAKE2b) |
POST |
/v1/auth/hmac |
Generate an HMAC-SHA256/384/512 signature |
POST |
/v1/auth/hmac-verify |
Verify an HMAC signature (constant-time) |
POST |
/v1/auth/base64-encode |
Base64 or Base64URL encode a string |
POST |
/v1/auth/base64-decode |
Decode a Base64 or Base64URL string |
POST |
/v1/auth/encode |
Encode/decode in multiple formats (URL, HTML entities, hex, ascii85) |
Spam Detection¶
| Method |
Endpoint |
Description |
POST |
/v1/email/form-spam-score |
Score a form submission for spam likelihood (Email toolkit) |
Quick Example¶
from toolkitapi import Auth
auth = Auth(api_key="tk_...")
# Hash a password
result = auth.hash_password("hunter2", algorithm="argon2")
print(result["hash"]) # $argon2id$v=19$...
# Verify it
check = auth.verify_password("hunter2", result["hash"])
print(check["valid"]) # True
Python SDK¶
Install the SDK and import the Auth class:
pip install toolkitapi
from toolkitapi import Auth
auth = Auth(api_key="tk_...")
result = auth.jwt_generate(
{"sub": "user_123", "role": "admin"},
secret="my-signing-key",
expires_in=3600,
)
print(result["token"])
The Auth client is instantiated once and reused across calls. All methods return the parsed JSON response as a Python dict.