How to Get SHA-1 & SHA-256 Fingerprints for Android App — 2025 Guide

How to Get SHA-1 & SHA-256 Fingerprints for Your Android App — Android Studio (2025 Guide)

If you’re an Android developer, integrating your app with services like Firebase, Google Maps, Facebook Login, or other APIs often requires providing your app’s SHA-1 and SHA-256 fingerprints. These fingerprints uniquely identify your app’s signing certificate and are essential for security and authentication.

Whether you are a beginner or an experienced developer, this comprehensive guide will help you obtain SHA-1 and SHA-256 fingerprints using Android Studio, Java keytool, or even Google Play App Signing.

What Are SHA-1 and SHA-256 Fingerprints?

SHA-1 and SHA-256 are cryptographic hash functions that generate a unique fingerprint for your app’s signing certificate.

• SHA-1: Produces a 160-bit (20-byte) hash value. It has been widely used but is now considered less secure.

• SHA-256: Produces a 256-bit (32-byte) hash and is more secure than SHA-1.

These fingerprints are required by services like:

• Firebase Authentication

• Google Maps API

• Facebook Login

• Google Cloud Services

Without these fingerprints, your app will not be recognized as authentic, and API integrations will fail.

Why SHA-1 and SHA-256 Are Important for Android Apps

Obtaining and registering SHA fingerprints ensures:

1. Security: Only your app can access the registered services.

2. API Authentication: Google, Firebase, and Facebook verify your app via these fingerprints.

3. Smooth Deployment: Helps avoid errors in production or testing environments.

For example, using the wrong SHA-1 fingerprint in Firebase can prevent push notifications or Google sign-in from working.

How to Obtain SHA-1 & SHA-256 Fingerprints Using Android Studio

There are two main ways to get your app’s fingerprints using Android Studio:

1. Using Gradle’s signingReport Command

1. Open Android Studio and go to the Terminal tab.

2. Run the command:

   • Windows:

     gradlew signingReport
     

   • macOS/Linux:

     ./gradlew signingReport
     

3. Look for the output under Variant: debug or Variant: release. You’ll see:

   SHA1: XX:XX:XX:...
   SHA-256: XX:XX:XX:...
   

These are the fingerprints you can use for API integrations.

2. Enabling Gradle Task List (if signingReport is missing)

If the signingReport task is not visible:

1. Go to File > Settings (or Android Studio > Preferences on macOS).

2. Navigate to Build, Execution, Deployment > Compiler.

3. Uncheck Do not build Gradle task list during Gradle sync.

4. Sync your project.

5. Go to Gradle > Tasks > android and run signingReport.

This method works even for large projects with multiple build variants.

How to Obtain SHA-1 & SHA-256 Fingerprints Without Android Studio

If you don’t have Android Studio installed, you can use Java’s keytool utility:

1. Open Command Prompt (Windows) or Terminal (macOS/Linux).

2. Run the following command:

   keytool -list -v -keystore <path-to-your-keystore> -alias <your-key-alias>
   

   Replace:

   • <path-to-your-keystore> → path to your .jks or .keystore file

   • <your-key-alias> → your key alias

3. Enter the keystore password when prompted.

4. You’ll see the SHA-1 and SHA-256 fingerprints displayed.

This method is useful for CI/CD pipelines or servers without Android Studio installed.

Using Play App Signing to Obtain Fingerprints

Google Play provides Play App Signing, which manages your release keys securely.

1. Go to Play Console > App Signing.

2. Select your app.

3. Under App Signing Certificate, you’ll see both SHA-1 and SHA-256 fingerprints.

• Tip: Use these fingerprints when registering your production app with Firebase or Google APIs, instead of local keystore fingerprints.

Generating Key Hash for Services Like Facebook Login

Facebook Login requires a key hash, which is a Base64-encoded SHA-1 fingerprint:

1. Obtain your SHA-1 fingerprint using Android Studio or keytool.

2. Convert SHA-1 to Base64:

   echo <your-sha1-fingerprint> | xxd -r -p | openssl base64
   

3. Use the resulting Base64 string as your Facebook key hash.

• This step is required to enable Facebook authentication in your app.

Common Errors and Troubleshooting

• Wrong SHA-1 in Firebase: Ensure you are using the release keystore SHA-1 for production apps.

• Keytool not found: Make sure Java JDK is installed and added to your system PATH.

• Lost Keystore: If you lose your keystore, you cannot update your app. Backup your .jks file safely.

• Play App Signing mismatch: Only use fingerprints from Play Console for apps enrolled in Play App Signing.

FAQs

Q1: Can I use debug SHA-1 for production apps?
No. Always use the release SHA-1 for production.

Q2: How do I find my release keystore?
It’s the .jks or .keystore file you used to sign your app for release.

Q3: What if I lose my keystore?
You will not be able to update your app. Always backup your keystore and credentials.

Q4: Do I need SHA-256 for all services?
Not all, but Google recommends SHA-256 for enhanced security and compatibility.

Q5: Can I generate SHA-1 without Android Studio?
Yes, using Java’s keytool as explained above.

Conclusion

Obtaining SHA-1 and SHA-256 fingerprints is a crucial step for Android app development and integration with services like Firebase, Google APIs, and Facebook Login.

• Use Android Studio for easy generation.

• Use keytool for environments without Android Studio.

• Use Play App Signing for production-level certificates.

By following this 2025 guide, you can ensure that your app’s integrations are secure, authenticated, and work seamlessly across all platforms.

• Pro Tip: Always backup your keystore files, keep track of release SHA-1 fingerprints, and use SHA-256 where possible for enhanced security.

Read More:

• Firebase Integration with Android

• Generate Android Keystore for Release

• Google Maps API Key Setup

• Facebook Login Android Tutorial