Performs timing-safe string comparison to prevent timing attacks when validating secrets, tokens, or passwords. Available via MCP in Cursor and other AI editors, or REST API at /v1/crypto/constant-time-compare. Takes two strings and returns boolean equality without leaking length or content information through execution time. Essential for secure authentication flows.
curl "https://tinyfn.io/v1/crypto/constant-time-compare" \
-H "X-API-Key: YOUR_API_KEY"const response = await fetch('https://tinyfn.io/v1/crypto/constant-time-compare', {
headers: { 'X-API-Key': 'YOUR_API_KEY' }
});
const data = await response.json();
console.log(data);import requests
response = requests.get('https://tinyfn.io/v1/crypto/constant-time-compare',
headers={'X-API-Key': 'YOUR_API_KEY'})
data = response.json()
print(data)Connect your AI agent (Claude, Cursor, Windsurf, etc.) to TinyFn's cryptography tools:
{
"mcpServers": {
"tinyfn-crypto": {
"url": "https://tinyfn.io/mcp/crypto",
"headers": {
"X-API-Key": "YOUR_API_KEY"
}
}
}
}Constant time comparison prevents timing attacks where attackers measure how long string comparisons take to guess secrets. Regular string comparison exits early on the first differing character, leaking information through execution time.
Call the tool with two strings to compare: the secret you're validating against and the user-provided value. It returns true/false without revealing timing information that could help attackers.
Use for comparing passwords, API keys, CSRF tokens, or any authentication secrets. Never use regular == or === for security-sensitive comparisons as they're vulnerable to timing attacks.
Yes, it safely compares strings of any length. The function always takes the same amount of time regardless of input length or how many characters match.
Absolutely. This is perfect for comparing bcrypt hashes, PBKDF2 outputs, or any hashed credentials where timing leaks could help attackers mount offline attacks.
Get your free API key and start using Constant Time Compare in seconds.
Get Free API Key