This error occurs when importing users with a password hash algorithm that Firebase Authentication does not recognize or support. Learn how to identify supported hash algorithms, validate import parameters, and correctly configure user migration.
The "auth/invalid-hash-algorithm" error is thrown by Firebase Admin SDK when attempting to import user accounts using the `importUsers()` API with a password hashing algorithm that is not in Firebase's list of supported algorithms. Firebase restricts user imports to specific hashing methods to ensure security and compatibility. Each supported algorithm requires specific parameters (like rounds or memory cost) that must also fall within acceptable ranges. If you provide an unsupported algorithm name or the algorithm name is misspelled, Firebase will reject the entire import batch.
Firebase supports only specific password hashing algorithms. Check which algorithm you're trying to use:
Standard Algorithms:
- MD5 (rounds: 0-8192)
- SHA1 (rounds: 1-8192)
- SHA256 (rounds: 1-8192)
- SHA512 (rounds: 1-8192)
PBKDF Algorithms:
- PBKDF2_SHA256 (rounds: 0-120000)
- PBKDF2_SHA1 (rounds: 0-120000)
HMAC Algorithms (require key):
- HMAC_MD5
- HMAC_SHA1
- HMAC_SHA256
- HMAC_SHA512
Other:
- BCRYPT
- SCRYPT (Firebase custom scrypt only)
Verify that your algorithm name exactly matches one of these (case-sensitive).
Firebase hash algorithm names are case-sensitive. The most common mistake is incorrect casing:
// WRONG - lowercase algorithm name
const users = [
{
uid: "user123",
email: "[email protected]",
passwordHash: Buffer.from("hashedpassword"),
passwordSalt: Buffer.from("salt"),
customClaims: {},
}
];
await admin.auth().importUsers(users, {
hash: {
algorithm: "sha256", // WRONG: should be uppercase SHA256
rounds: 1000
}
});
// CORRECT
await admin.auth().importUsers(users, {
hash: {
algorithm: "SHA256", // Correct casing
rounds: 1000
}
});Different algorithms require different round ranges. If you're using the correct algorithm name, verify the rounds value is within range:
import * as admin from "firebase-admin";
const users = [
{
uid: "user123",
email: "[email protected]",
passwordHash: Buffer.from("hashedpassword"),
passwordSalt: Buffer.from("salt")
}
];
// PBKDF2_SHA256 with valid rounds (0-120000)
await admin.auth().importUsers(users, {
hash: {
algorithm: "PBKDF2_SHA256",
rounds: 25000 // Valid: within 0-120000 range
}
});
// SHA256 with valid rounds (1-8192)
await admin.auth().importUsers(users, {
hash: {
algorithm: "SHA256",
rounds: 1000 // Valid: within 1-8192 range
}
});HMAC-based algorithms require a secret key that was used to create the hash. Without it, Firebase cannot import the users:
const users = [
{
uid: "user123",
email: "[email protected]",
passwordHash: Buffer.from("hmachashedpassword"),
// No password salt for HMAC
}
];
// Provide the HMAC key
await admin.auth().importUsers(users, {
hash: {
algorithm: "HMAC_SHA256",
key: Buffer.from("your-secret-key-used-in-original-system") // Required for HMAC
}
});Firebase has a proprietary scrypt implementation. If migrating between Firebase projects or using Firebase scrypt, you need the exact parameters from your Firebase project:
1. Go to Firebase Console → Authentication → Users tab
2. Click the three-dot menu (⋮) and select "Password Hash Parameters"
3. Copy the exact parameters shown (memoryCost, parallelization, blockSize, saltSeparator, signerKey)
4. Use these in your import:
await admin.auth().importUsers(users, {
hash: {
algorithm: "SCRYPT",
memoryCost: 15,
parallelization: 8,
blockSize: 128,
saltSeparator: Buffer.from("Bw==", "base64"),
signerKey: Buffer.from("your-signer-key", "base64")
}
});Before importing all users, test with a small sample batch to catch errors early:
const testUsers = users.slice(0, 10); // Test with first 10 users
try {
const result = await admin.auth().importUsers(testUsers, {
hash: {
algorithm: "PBKDF2_SHA256",
rounds: 25000
}
});
console.log("Imported:", result.successCount, "Failed:", result.failureCount);
// Check individual error messages
result.errors.forEach((err, idx) => {
if (err) {
console.error(`User ${idx}: ${err.message}`);
}
});
} catch (err) {
console.error("Import batch failed:", err.message);
// Fix the algorithm or parameters before importing remaining users
}Firebase's algorithm validation is strict because password security depends on using approved, well-tested hashing functions. Do not attempt to use unsupported algorithms or create workarounds. If your original system uses an unsupported algorithm, you have three options: (1) re-hash all passwords with a supported Firebase algorithm before import, (2) ask users to reset their passwords after migration and discard the old hashes, or (3) use Firebase custom claims to flag accounts needing password reset on first login. The algorithm name in the hash options object is case-sensitive and must exactly match Firebase's supported list. Always retrieve scrypt parameters from your specific Firebase project—they are unique per project and not transferable. When importing from another Firebase project, ensure you're using that project's scrypt parameters, not generic defaults.
Callable Functions: INTERNAL - Unhandled exception
How to fix "Callable Functions: INTERNAL - Unhandled exception" in Firebase
Hosting: CORS configuration not set up properly
How to fix CORS configuration in Firebase Hosting
auth/reserved-claims: Custom claims use reserved OIDC claim names
How to fix "reserved claims" error when setting custom claims in Firebase
Callable Functions: UNAUTHENTICATED - Invalid credentials
How to fix "UNAUTHENTICATED - Invalid credentials" in Firebase Callable Functions
messaging/message-rate-exceeded: Overall sending rate too high
Overall sending rate too high in Firebase Cloud Messaging