Skip to main content
Ant ships with two cryptography surfaces: the Web Crypto API as a global (crypto.subtle, crypto.randomUUID, crypto.getRandomValues) and a Node-compatible crypto module available via import. Both are backed by BoringSSL, so you get the same underlying primitives regardless of which API you use. The Web Crypto API is the better choice for new code; the Node-compatible module is there when you need drop-in compatibility with existing npm packages.

Web Crypto API (global)

The crypto global is available without any imports.

Generate a UUID

const id = crypto.randomUUID();
console.log(id); // e.g. "550e8400-e29b-41d4-a716-446655440000"
randomUUID() generates a version 4 UUID using cryptographically secure random bytes.

Fill a buffer with random bytes

const buf = new Uint8Array(32);
crypto.getRandomValues(buf);
// buf is now filled with 32 cryptographically random bytes
crypto.getRandomValues(typedArray)
function
Fills typedArray in-place with cryptographically random values and returns it. Accepts any typed array (Uint8Array, Int32Array, etc.).

Hash data with crypto.subtle

crypto.subtle.digest computes a hash of an ArrayBuffer or typed array. 
const data = new TextEncoder().encode('hello');
const hashBuffer = await crypto.subtle.digest('SHA-256', data);

const hex = Array.from(new Uint8Array(hashBuffer))
  .map(b => b.toString(16).padStart(2, '0'))
  .join('');

console.log(hex);
// "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
crypto.subtle methods are all async — they return promises. Supported digest algorithms include "SHA-1", "SHA-256", "SHA-384", and "SHA-512".

Generate and use a symmetric key

const key = await crypto.subtle.generateKey(
  { name: 'AES-GCM', length: 256 },
  true,
  ['encrypt', 'decrypt']
);

const iv = crypto.getRandomValues(new Uint8Array(12));
const plaintext = new TextEncoder().encode('secret message');

const ciphertext = await crypto.subtle.encrypt(
  { name: 'AES-GCM', iv },
  key,
  plaintext
);

Node-compatible crypto module

Import crypto from node:crypto or ant:crypto when you need the Node.js API style — for example when using libraries that call createHash or randomBytes directly. 
import crypto from 'node:crypto';
// or
import crypto from 'ant:crypto';

Hash with createHash

import crypto from 'node:crypto';

const hash = crypto.createHash('sha256').update('hello').digest('hex');
console.log(hash);
// "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
You can chain multiple .update() calls to hash data incrementally: 
const hash = crypto.createHash('sha256');
hash.update('part one ');
hash.update('part two');
console.log(hash.digest('hex'));

HMAC with createHmac

import crypto from 'node:crypto';

const key = process.env.SIGNING_KEY;
const mac = crypto.createHmac('sha256', key).update('payload').digest('hex');
console.log(mac);

Generate random bytes

import crypto from 'node:crypto';

const token = crypto.randomBytes(32).toString('hex');
console.log(token); // 64-character hex string, suitable for tokens and secrets
crypto.randomBytes(size)
function
Returns a Buffer of size cryptographically random bytes. Synchronous.

Key derivation with pbkdf2Sync

Use pbkdf2Sync to derive a key from a password for storage or comparison. Do not use a raw password hash — always use a proper KDF. 
import crypto from 'node:crypto';

const password = 'user-password';
const salt = crypto.randomBytes(16);
const iterations = 310000;
const keylen = 32;
const digest = 'sha256';

const derivedKey = crypto.pbkdf2Sync(password, salt, iterations, keylen, digest);
console.log(derivedKey.toString('hex'));
pbkdf2Sync blocks the event loop for the duration of the computation. For high-throughput servers, prefer the async pbkdf2 variant or use a worker thread.

Comparison table

TaskWeb Crypto APINode-compatible module
Hashcrypto.subtle.digest('SHA-256', data)crypto.createHash('sha256').update(data).digest('hex')
HMACcrypto.subtle.sign('HMAC', key, data)crypto.createHmac('sha256', key).update(data).digest('hex')
Random UUIDcrypto.randomUUID()crypto.randomUUID()
Random bytescrypto.getRandomValues(new Uint8Array(n))crypto.randomBytes(n)
Key derivationcrypto.subtle.deriveKey(...)crypto.pbkdf2Sync(...)
Symmetric encryptcrypto.subtle.encrypt(...)