bcrypt (Node.js)

Native C++ bcrypt password hashing library for Node.js. Wraps the native bcrypt implementation via node-gyp for maximum performance. Provides async (bcrypt.hash/bcrypt.compare) and sync (bcrypt.hashSync/bcrypt.compareSync) APIs with configurable cost factor (salt rounds). The native C++ implementation is faster than the pure JavaScript bcryptjs alternative. The standard choice for password hashing in Node.js applications requiring maximum performance.

Evaluated Mar 06, 2026 (0d ago) v5.x

Homepage ↗ Repo ↗ Developer Tools bcrypt password-hashing security auth node c++ native

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

100

Rate Limits

100

🔒 Security

TLS Enforcement

100

Auth Strength

100

Scope Granularity

100

Dep. Hygiene

Secret Handling

Purpose-built for password security. Timing-safe comparisons. Adaptive cost factor for future-proofing. Random salts prevent rainbow table attacks. Well-audited algorithm.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You need high-performance bcrypt password hashing in Node.js and your deployment environment supports native module compilation.

Avoid When

You can't compile native modules (Vercel Edge, Cloudflare Workers, some serverless) — use bcryptjs (pure JS) or Argon2 instead.

Use Cases

• Hash user passwords before storing in a database with bcrypt.hash(password, saltRounds)
• Verify user passwords during login by comparing plain password against stored hash with bcrypt.compare()
• Configure cost factor (salt rounds) to balance security (higher rounds = slower = more secure) vs performance
• Implement password reset flows using bcrypt to hash new passwords before storage
• Migrate legacy MD5/SHA1 password hashes to bcrypt in legacy system upgrades

Not For

• Non-password hashing — use SHA-256 or SHA-512 for general data hashing; bcrypt is specifically designed for passwords (slow by design)
• Environments without native build tools — use bcryptjs (pure JavaScript) for environments where native compilation is unavailable
• Key derivation for encryption — use PBKDF2 or Argon2 for deriving encryption keys from passwords

Interface

REST API

GraphQL

gRPC

MCP Server

SDK

Yes

Webhooks

Authentication

Methods: none

OAuth: No Scopes: No

No authentication — password hashing library.

Pricing

Model: open_source

Free tier: Yes

Requires CC: No

Fully free, MIT licensed.

Agent Metadata

Pagination

none

Idempotent

Partial

Retry Guidance

Not documented

Known Gotchas

⚠ Always use async bcrypt.hash()/bcrypt.compare() — sync versions block the Node.js event loop during computation which can freeze web servers under load
⚠ Salt rounds trade-off: 12 rounds is ~250ms on modern hardware — too low is insecure, too high blocks request handling; calibrate to your hardware for ~100-300ms hash time
⚠ bcrypt truncates passwords at 72 characters — passwords longer than 72 bytes are silently truncated to 72 bytes before hashing; mitigate by pre-hashing with SHA-512 for very long passwords
⚠ bcrypt vs bcryptjs: bcrypt (this package) requires native C++ compilation via node-gyp; bcryptjs is pure JavaScript with no build step but ~30% slower
⚠ Timing-safe comparison: bcrypt.compare() is timing-safe by design — never use string equality (===) to compare hashes directly
⚠ Hash version compatibility: $2b$ hashes (Node.js bcrypt default) vs $2a$ hashes (older format) — both are handled, but be aware when migrating from other bcrypt implementations

Alternatives

bcryptjs-api argon2-api scrypt-js-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for bcrypt (Node.js).

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.