Pwhash
Argon2id password hashing and key derivation from passwords - all operations are intentionally slow.
Key derivation (hash): derives a fixed-length symmetric key from a password and a random salt.
Password storage (hashStr/verifyStr): produces a self-contained encoded string with embedded salt.
Use INTERACTIVE presets for login flows and SENSITIVE for long-lived key derivation.
Summary
Functions
Pwhash.hash(password: buffer, salt: buffer, outputBytes: number, opsLimit: number?, memLimit: number?) → bufferPwhash.hashStr(password: buffer, opsLimit: number?, memLimit: number?) → stringPwhash.verifyStr(hashString: string, password: buffer) → booleanPwhash.needsRehash(hashString: string, opsLimit: number?, memLimit: number?) → booleanFunctions
Section titled “Functions”Pwhash . hash ( password , salt , outputBytes , opsLimit , memLimit ) -> buffer
Derives a key of outputBytes bytes from password and a 16-byte salt using Argon2id.
opsLimit and memLimit default to the interactive presets; increase to moderate or sensitive for stronger derivation.
Returns
| buffer |
hashStr
Section titled “hashStr”Pwhash . hashStr ( password , opsLimit , memLimit ) -> string
Hashes password for storage, returning a self-contained encoded string with embedded salt and parameters.
opsLimit and memLimit default to the interactive presets; errors if hashing fails.
verifyStr
Section titled “verifyStr”Pwhash . verifyStr ( hashString , password ) -> boolean
Verifies that password matches the encoded hash produced by hashStr.
Returns true if the password is correct, false otherwise - does not error on wrong passwords.
needsRehash
Section titled “needsRehash”Pwhash . needsRehash ( hashString , opsLimit , memLimit ) -> boolean
Returns true if the stored hash was produced with parameters weaker than opsLimit/memLimit.
Use after a successful verifyStr to decide whether to upgrade the stored hash; errors if hashStr is invalid.