[pre-commit.ci] pre-commit autoupdate (#228 )

updates: - [github.com/astral-sh/ruff-pre-commit: v0.15.9 → v0.15.12](https://github.com/astral-sh/ruff-pre-commit/compare/v0.15.9...v0.15.12) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Bump the github-actions group with 5 updates (#227 )
2026-05-05 08:47:13 +02:00 · 2026-05-01 06:34:41 +02:00 · 2026-04-06 19:46:54 +02:00 · 2026-04-01 13:13:47 +02:00 · 2026-03-03 07:14:27 +01:00 · 2026-03-01 07:26:22 +01:00
60 changed files with 2139 additions and 1559 deletions
--- a/.git_archival.txt
+++ b/.git_archival.txt
@ -0,0 +1,3 @@
+node: $Format:%H$
+node-date: $Format:%cI$
+describe-name: $Format:%(describe:tags=true,match=*[0-9]*)$
--- a/.github/CODE_OF_CONDUCT.md
+++ b/.github/CODE_OF_CONDUCT.md
@ -1,133 +1,16 @@
+# Code of Conduct

-# Contributor Covenant Code of Conduct
+While not being a [Python Software Foundation](https://www.python.org/psf-landing/) project, everyone interacting in this project is expected to follow the [PSF Code of Conduct](https://policies.python.org/python.org/code-of-conduct/).

-## Our Pledge
+In general, this means that everyone is expected to be **open**, **considerate**, and **respectful** of others no matter what their position is within the project.

-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, caste, color, religion, or sexual
-identity and orientation.
-
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for our
-community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the overall
-  community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or advances of
-  any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email address,
-  without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official e-mail address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.

 ## Enforcement

-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-<mailto:hs@ox.cx>.
-All complaints will be reviewed and investigated promptly and fairly.
+We take Code of Conduct violations seriously, and will act to ensure our spaces are welcoming, inclusive, and professional environments to communicate in.

-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
+If you need to raise a Code of Conduct report, you may do so privately by email to [Hynek Schlawack](mailto:hs@ox.cx).

-## Enforcement Guidelines
+Reports will be treated confidentially.

-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series of
-actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or permanent
-ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior, harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within the
-community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.1, available at
-[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
-
-Community Impact Guidelines were inspired by
-[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
-
-For answers to common questions about this code of conduct, see the FAQ at
-[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
-[https://www.contributor-covenant.org/translations][translations].
-
-[homepage]: https://www.contributor-covenant.org
-[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
-[Mozilla CoC]: https://github.com/mozilla/diversity
-[FAQ]: https://www.contributor-covenant.org/faq
-[translations]: https://www.contributor-covenant.org/translations
+Alternately you can make a [report to the Python Software Foundation](https://policies.python.org/python.org/code-of-conduct/Procedures-for-Reporting-Incidents/).
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@ -1,14 +1,10 @@
 # How To Contribute

-First off, thank you for considering contributing to *argon2-cffi*!
-It's people like *you* who make it such a great tool for everyone.
+First off, thank you for considering contributing!
+It's people like *you* who make it is such a great tool for everyone.

-This document intends to make contribution more accessible by codifying tribal knowledge and expectations.
-Don't be afraid to open half-finished PRs, and ask questions if something is unclear!
-
-Please note that this project is released with a Contributor [Code of Conduct](https://github.com/hynek/argon2-cffi/blob/main/.github/CODE_OF_CONDUCT.md).
-By participating in this project you agree to abide by its terms.
-Please report any harm to [Hynek Schlawack] in any way you find appropriate.
+This document is mainly to help you to get started by codifying tribal knowledge and expectations and make it more accessible to everyone.
+But don't be afraid to open half-finished PRs and ask questions if something is unclear!


 ## Workflow
@ -22,87 +18,109 @@ Please report any harm to [Hynek Schlawack] in any way you find appropriate.
  This is a hard rule; patches with missing tests or documentation can't be merged.
 - Make sure your changes pass our [CI].
  You won't get any feedback until it's green unless you ask for it.
+- For the CI to pass, the coverage must be 100%.
+  If you have problems to test something, open anyway and ask for advice.
+  In some situations, we may agree to add an `# pragma: no cover`.
 - Once you've addressed review feedback, make sure to bump the pull request with a short note, so we know you're done.
- Don’t break backwards compatibility.
+- Don’t break backwards-compatibility.


-## Local Development Environment
+## Local development environment

-You can (and should) run our test suite using [*tox*].
-However, you’ll probably want a more traditional environment as well.
-We highly recommend to develop using the latest Python release because we try to take advantage of modern features whenever possible.
+First, **fork** the repository on GitHub and **clone** it using one of the alternatives that you can copy-paste by pressing the big green button labeled `<> Code`.

-First create a [virtual environment](https://virtualenv.pypa.io/) so you don't break your system-wide Python installation.
-It’s out of scope for this document to list all the ways to manage virtual environments in Python, but if you don’t already have a pet way, take some time to look at tools like [*direnv*](https://hynek.me/til/python-project-local-venvs/), [*virtualfish*](https://virtualfish.readthedocs.io/), and [*virtualenvwrapper*](https://virtualenvwrapper.readthedocs.io/).
+You can (and should) run our test suite using [*tox*](https://tox.wiki/).
+However, you'll probably want a more traditional environment as well.

-Next, get an up to date checkout of the *argon2-cffi* repository:
+We recommend using the Python version from the `.python-version-default` file in the project's root directory, because that's the one that is used in the CI by default, too.

-```console
-$ git clone git@github.com:hynek/argon2-cffi.git
+If you're using [*direnv*](https://direnv.net), you can automate the creation of the project virtual environment with the correct Python version by adding the following `.envrc` to the project root:
+
+```bash
+layout python python$(cat .python-version-default)
 ```

-or if you want to use git via `https`:
+or, if you like [*uv*](https://github.com/astral-sh/uv):

-```console
-$ git clone https://github.com/hynek/argon2-cffi.git
+```bash
+test -d .venv || uv venv --python python$(cat .python-version-default)
+. .venv/bin/activate
 ```

-Change into the newly created directory and **after activating your virtual environment** install an editable version of *argon2-cffi* along with its tests and docs requirements:
+> [!WARNING]
+> - **Before** you start working on a new pull request, use the "*Sync fork*" button in GitHub's web UI to ensure your fork is up to date.
+> - **Always create a new branch off `main` for each new pull request.**
+>   Yes, you can work on `main` in your fork and submit pull requests.
+>   But this will *inevitably* lead to you not being able to synchronize your fork with upstream and having to start over.
+
+Change into the newly created directory and after activating a virtual environment, install an editable version of this project along with its tests requirements:

 ```console
-$ cd argon2-cffi
-$ python -m pip install --upgrade pip setuptools  # PLEASE don't skip this step
-$ python -m pip install -e '.[dev]'
+$ pip install -e . --group dev  # or `uv pip install -e . --group dev`
 ```

-At this point,
+Now you can run the test suite:

 ```console
-$ python -m pytest
+$ python -Im pytest
 ```

-should work and pass, as should:
+When working on the documentation, use:

 ```console
-$ cd docs
-$ make html
+$ tox run -e docs-watch
 ```

-The built documentation can then be found in `docs/_build/html/`.
+This will build the documentation, and then watch for changes and rebuild it whenever you save a file.

-To avoid committing code that violates our style guide, we strongly advise you to install [*pre-commit*] [^dev] hooks:
+To just build the documentation and run doctests, use:
+
+```console
+$ tox run -e docs
+```
+
+You will find the built documentation in `docs/_build/html`.
+
+To avoid committing code that violates our style guide, we strongly advise you to install [*pre-commit*] and its hooks:

 ```console
 $ pre-commit install
 ```

-You can also run them anytime (as our tox does) using:
+This is not strictly necessary, because our [*tox*] file contains an environment that runs:

 ```console
 $ pre-commit run --all-files
 ```

-[^dev]: *pre-commit* should have been installed into your virtualenv automatically when you ran `pip install -e '.[dev]'` above.
-        If *pre-commit* is missing, your probably need to run `pip install -e '.[dev]'` again.
+and our CI has integration with [*pre-commit.ci*](https://pre-commit.ci).
+But it's way more comfortable to run it locally and *git* catching avoidable errors.


 ## Code

 - Obey [PEP 8](https://www.python.org/dev/peps/pep-0008/) and [PEP 257](https://www.python.org/dev/peps/pep-0257/).
-  We use the `"""`-on-separate-lines style for docstrings:
+  We use the `"""`-on-separate-lines style for docstrings and [Napoleon](https://www.sphinx-doc.org/en/master/usage/extensions/napoleon.html) for parsing them:

  ```python
-  def func(x):
+  def func(x: str, y: bool) -> int:
      """
      Do something.

-      :param str x: A very important parameter.
+      Args:
+          x: A very important parameter.

-      :rtype: str
+          y:
+              Another important parameter whose description is too long for one
+              line, therefore it starts on the next line.
+
+      Returns:
+          Something!
      """
  ```
 - If you add or change public APIs, tag the docstring using `..  versionadded:: 16.0.0 WHAT` or `..  versionchanged:: 16.2.0 WHAT`.
- We use [*isort*](https://github.com/PyCQA/isort) to sort our imports, and we use [*Black*](https://github.com/psf/black) with line length of 79 characters to format our code.
+
+- We use [Ruff](https://ruff.rs/) to sort our imports and format our code with a line length of 79 characters.
  As long as you run our full [*tox*] suite before committing, or install our [*pre-commit*] hooks (ideally you'll do both – see [*Local Development Environment*](#local-development-environment) above), you won't have to spend any time on formatting your code at all.
  If you don't, [CI] will catch it for you – but that seems like a waste of your time!

@ -120,17 +138,15 @@ $ pre-commit run --all-files

 - To run the test suite, all you need is a recent [*tox*].
  It will ensure the test suite runs with all dependencies against all Python versions just as it will in our [CI].
-  If you lack some Python versions, you can can always limit the environments like `tox -e py38,py39`, or make it a non-failure using `tox --skip-missing-interpreters`.

-  In that case you should look into [*asdf*](https://asdf-vm.com) or [*pyenv*](https://github.com/pyenv/pyenv), which make it very easy to install many different Python versions in parallel.
 - Write [good test docstrings](https://jml.io/pages/test-docstrings.html).


 ## Documentation

- Use [semantic newlines] in [Markdown*] files (files ending in `.md`):
+- Use [semantic newlines] in [*reStructuredText*](https://www.sphinx-doc.org/en/master/usage/restructuredtext/index.html) and [Markdown](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax) files (files ending in `.rst` and `.md`):

-  ```markdown
+  ```rst
  This is a sentence.
  This is another sentence.
  ```
@ -140,7 +156,12 @@ $ pre-commit run --all-files

 If your change is noteworthy, there needs to be a changelog entry in `CHANGELOG.md`.

+- The changelog follows the [*Keep a Changelog*](https://keepachangelog.com/en/1.0.0/) standard.
+  Please add the best-fitting section if it's missing for the current release.
+  We use the following order: `Security`, `Removed`, `Deprecated`, `Added`, `Changed`, `Fixed`.
 - As with other docs, please use [semantic newlines] in the changelog.
+- Make the last line a link to your pull request.
+  You probably have to open it first to know the number.
 - Wrap symbols like modules, functions, or classes into backticks so they are rendered in a `monospace font`.
 - Wrap arguments into asterisks like in docstrings:
  `Added new argument *an_argument*.`
@ -153,7 +174,8 @@ If your change is noteworthy, there needs to be a changelog entry in `CHANGELOG.
  * Added `argon2_cffi.func()`.
  * `argon2_cffi.func()` now doesn't crash the Large Hadron Collider anymore when passed the *foobar* argument.

-Example entries:
+
+#### Example entries

 ```markdown
 Added `argon2_cffi.func()`.
@ -167,6 +189,15 @@ or:
 The bug really *was* nasty.
 ```

+---
+
+Again, this list is mainly to help you to get started by codifying tribal knowledge and expectations.
+If something is unclear, feel free to ask for help!
+
+Please note that this project is released with a Contributor [Code of Conduct](https://github.com/hynek/argon2-cffi/blob/main/.github/CODE_OF_CONDUCT.md).
+By participating in this project you agree to abide by its terms.
+Please report any harm to [Hynek Schlawack] in any way you find appropriate.
+

 [CI]: https://github.com/hynek/argon2-cffi/actions
 [Hynek Schlawack]: https://hynek.me/about/
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -1,4 +1,3 @@
 ---
 github: hynek
-ko_fi: the_hynek
 tidelift: "pypi/argon2_cffi"
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -0,0 +1,33 @@
+# Summary
+
+<!-- Please tell us what your pull request is about here. -->
+
+
+# Pull Request Check List
+
+<!--
+This is just a friendly reminder about the most common mistakes.
+Please make sure that you tick all boxes.
+But please read our [contribution guide](https://github.com/hynek/argon2-cffi/blob/main/.github/CONTRIBUTING.md) at least once; it will save you unnecessary review cycles!
+
+If an item doesn't apply to your pull request, **check it anyway** to make it apparent that there's nothing left to do.
+-->
+
+- [ ] Do **not** open pull requests from your `main` branch – **use a separate branch**!
+  - There's a ton of footguns waiting if you don't heed this warning. You can still go back to your project, create a branch from your main branch, push it, and open the pull request from the new branch.
+  - This is not a pre-requisite for your pull request to be accepted, but **you have been warned**.
+- [ ] Added **tests** for changed code.
+    - The CI fails with less than 100% coverage.
+- [ ] **New APIs** are added to our typing tests in [`api.py`](https://github.com/hynek/argon2-cffi/blob/main/tests/typing/api.py).
+- [ ] Updated **documentation** for changed code.
+    - [ ] New functions/classes have to be added to `docs/api.rst` by hand.
+    - [ ] Changed/added classes/methods/functions have appropriate `versionadded`, `versionchanged`, or `deprecated` [directives](http://www.sphinx-doc.org/en/stable/markup/para.html#directive-versionadded).
+      - The next version is the second number in the current release + 1. The first number represents the current year. So if the current version on PyPI is 23.1.0, the next version is gonna be 23.2.0. If the next version is the first in the new year, it'll be 24.1.0.
+- [ ] Documentation in `.rst` and `.md` files is written using [**semantic newlines**](https://rhodesmill.org/brandon/2012/one-sentence-per-line/).
+- [ ] Changes (and possible deprecations) are documented in the [**changelog**](https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md).
+- [ ] Consider granting [push permissions to the PR branch](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork), so maintainers can fix minor issues themselves without pestering you.
+
+<!--
+If you have *any* questions to *any* of the points above, just **submit and ask**!
+This checklist is here to *help* you, not to deter you from contributing!
+-->
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@ -2,11 +2,17 @@

 ## Supported Versions

-We are following [CalVer](https://calver.org) with generous backward-compatibility guarantees. Therefore we only support the latest version.
+We follow [Calendar Versioning](https://calver.org) with generous backwards-compatibility guarantees.
+Therefore, we only support the latest version.
+
+That said, you shouldn't be afraid to upgrade if you're only using our documented public APIs and pay attention to `DeprecationWarning`s.
+Whenever there is a need to break compatibility, it is announced in the changelog and raises a `DeprecationWarning` for a year (if possible) before it's finally really broken.
+
+> [!WARNING]
+> What explicitly *may* change over time are the default [hashing parameters](https://argon2-cffi.readthedocs.io/en/stable/parameters.html) and the behavior of the [CLI interface](https://argon2-cffi.readthedocs.io/en/stable/cli.html).


-## Reporting a Vulnerability
+## Security contact information

-If you think you found a Vulnerability, please contact Hynek Schlawack at <hs@ox.cx>.
-
-If you insist on using PGP, you can use the key `0xAE2536227F69F181`. The fingerprint must be `C2A0 4F86 ACE2 8ADC F817 DBB7 AE25 3622 7F69 F181`.  You can also find it on [Keybase](https://keybase.io/hynek).
+To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,14 @@
+---
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      default-days: 7
+    groups:
+      github-actions:
+        patterns:
+          - "*"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,265 @@
+---
+name: CI
+
+on:
+  push:
+    branches: [main]
+    tags: ["*"]
+  pull_request:
+  workflow_dispatch:
+
+env:
+  FORCE_COLOR: "1" # Make tools pretty.
+  PIP_DISABLE_PIP_VERSION_CHECK: "1"
+  PIP_NO_PYTHON_VERSION_WARNING: "1"
+
+permissions: {}
+
+
+jobs:
+  build-package:
+    name: Build & verify package
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0
+        id: baipp
+
+    outputs:
+      # Used to define the matrix for tests below. The value is based on
+      # packaging metadata (trove classifiers).
+      python-versions: ${{ steps.baipp.outputs.supported_python_classifiers_json_array }}
+
+
+  tests:
+    name: Tests & Mypy API on ${{ matrix.python-version }}
+    runs-on: ubuntu-latest
+    needs: build-package
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Created by the build-and-inspect-python-package action above.
+        python-version: ${{ fromJson(needs.build-package.outputs.python-versions) }}
+
+    env:
+      PYTHON: ${{ matrix.python-version }}
+
+    steps:
+      - name: Download pre-built packages
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: Packages
+          path: dist
+      - run: |
+          tar xf dist/*.tar.gz --strip-components=1
+          rm -rf src
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ matrix.python-version }}
+          allow-prereleases: true
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
+
+      - name: Run tests
+        run: >
+          uvx --with tox-uv tox run
+          --installpkg dist/*.whl
+          -f py${PYTHON//./}-tests
+
+      - name: Upload coverage data
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: coverage-data-${{ matrix.python-version }}
+          path: .coverage.*
+          include-hidden-files: true
+          if-no-files-found: ignore
+
+      - name: Check public API with Mypy
+        run: >
+          uvx --with tox-uv tox run
+          --installpkg dist/*.whl
+          -e py${PYTHON//./}-mypy
+
+  free-threading:
+    name: Test free-threaded builds on ${{ matrix.python-version }}
+    runs-on: ubuntu-latest
+    needs: build-package
+
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version:
+          - 3.14t
+    env:
+      PYTHON: ${{ matrix.python-version }}
+
+    steps:
+      - name: Download pre-built packages
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: Packages
+          path: dist
+      - run: |
+          tar xf dist/*.tar.gz --strip-components=1
+          rm -rf src
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ matrix.python-version }}
+          allow-prereleases: true
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
+
+      - name: Run tests
+        run: |
+          uv venv --python $PYTHON
+          # cffi 2 is required and currently beta.
+          uv pip install --prerelease=allow dist/*.whl --group dev
+
+          .venv/bin/python -Im pytest tests
+
+
+  coverage:
+    name: Ensure 100% test coverage
+    runs-on: ubuntu-latest
+    needs: tests
+    if: always()
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: .python-version-default
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
+
+      - name: Download coverage data
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: coverage-data-*
+          merge-multiple: true
+
+      - name: Combine coverage and fail if it's <100%.
+        run: |
+          uv tool install coverage
+
+          coverage combine
+          coverage html --skip-covered --skip-empty
+
+          # Report and write to summary.
+          coverage report --format=markdown >> $GITHUB_STEP_SUMMARY
+
+          # Report again and fail if under 100%.
+          coverage report --fail-under=100
+
+      - name: Upload HTML report if check failed.
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: html-report
+          path: htmlcov
+        if: ${{ failure() }}
+
+
+  system-package:
+    name: Install & test with system package of Argon2
+    runs-on: ubuntu-latest
+    needs: build-package
+
+    steps:
+      - name: Download pre-built packages
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: Packages
+          path: dist
+      - run: tar xf dist/*.tar.gz --strip-components=1
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: .python-version-default
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get install libargon2-1 libargon2-dev
+          python -VV
+          python -Im site
+          python -Im pip install --upgrade tox
+
+      - run: python -Im tox run -e system-argon2
+
+  typing:
+    name: Check types using supported type checkers
+    runs-on: ubuntu-latest
+    needs: build-package
+
+    steps:
+      - name: Download pre-built packages
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: Packages
+          path: dist
+      - run: tar xf dist/*.tar.gz --strip-components=1
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: .python-version-default
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
+
+      - run: uvx --with tox-uv tox run -f typing
+
+  docs:
+    name: Run doctests
+    needs: build-package
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download pre-built packages
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: Packages
+          path: dist
+      - run: tar xf dist/*.tar.gz --strip-components=1
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
+
+      - run: >
+          uvx --with tox-uv
+          tox run -e docs-doctests
+
+
+  install-dev:
+    name: Verify dev env
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: .python-version-default
+
+      - name: Install in dev mode and run CLI
+        run: |
+         python -Im pip install -e . --group dev
+         python -Im argon2 -n 1 -t 1 -m 8 -p 1
+
+
+  required-checks-pass:
+    if: always()
+    name: Ensure everything required is passing for branch protection
+    runs-on: ubuntu-latest
+    needs:
+      - coverage
+      - typing
+      - docs
+      - install-dev
+      - system-package
+
+    steps:
+      - name: Decide whether the needed jobs succeeded or failed
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,40 @@
+---
+name: CodeQL
+
+on:
+  schedule:
+    - cron: "30 22 * * 4"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [python]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -1,130 +0,0 @@
---
-name: CI
-
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
-  workflow_dispatch:
-
-env:
-  FORCE_COLOR: "1"  # Make tools pretty.
-  TOX_TESTENV_PASSENV: "FORCE_COLOR"
-  PYTHON_LATEST: "3.10"
-
-
-jobs:
-  tests:
-    name: tox on ${{ matrix.python-version }}
-    runs-on: "ubuntu-latest"
-    strategy:
-      matrix:
-        python-version: ["3.6", "3.7", "3.8", "3.9", "3.10", "pypy-3.7"]
-
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          python-version: "${{ matrix.python-version }}"
-      - name: Install dependencies
-        run: |
-          python -VV
-          python -m site
-          python -m pip install --upgrade pip setuptools wheel
-          python -m pip install --upgrade virtualenv tox tox-gh-actions
-
-      - run: python -m tox
-
-      - name: Upload coverage data
-        uses: actions/upload-artifact@v2
-        with:
-          name: coverage-data
-          path: ".coverage.*"
-          if-no-files-found: ignore
-
-
-  coverage:
-    name: Combine & check coverage.
-    runs-on: "ubuntu-latest"
-    needs: tests
-
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-        with:
-          # Use latest Python, so it understands all syntax.
-          python-version: ${{env.PYTHON_LATEST}}
-
-      - run: python -m pip install --upgrade coverage[toml]
-
-      - uses: actions/download-artifact@v2
-        with:
-          name: coverage-data
-
-      - name: Combine coverage & fail if it's <100%.
-        run: |
-          python -m coverage combine
-          python -m coverage html --skip-covered --skip-empty
-          python -m coverage report --fail-under=100
-
-      - name: Upload HTML report if check failed.
-        uses: actions/upload-artifact@v2
-        with:
-          name: html-report
-          path: htmlcov
-        if: ${{ failure() }}
-
-
-  system-package:
-    name: Install & test with system package of Argon2.
-    runs-on: "ubuntu-latest"
-
-    steps:
-      - uses: "actions/checkout@v2"
-      - uses: "actions/setup-python@v2"
-        with:
-          python-version: ${{env.PYTHON_LATEST}}
-      - name: "Install dependencies"
-        run: |
-          sudo apt-get install libargon2-0 libargon2-0-dev
-          python -VV
-          python -m site
-          python -m pip install --upgrade pip setuptools wheel
-          python -m pip install --upgrade virtualenv tox
-
-      - run: "python -m tox -e system-argon2"
-
-
-  package:
-    name: Build & verify package
-    runs-on: "ubuntu-latest"
-
-    steps:
-      - uses: "actions/checkout@v2"
-      - uses: "actions/setup-python@v2"
-        with:
-          python-version: ${{env.PYTHON_LATEST}}
-
-      - run: "python -m pip install build twine check-wheel-contents"
-      - run: "python -m build ."
-      - run: "ls -l dist"
-      - run: "check-wheel-contents dist/*.whl"
-      - name: "Check long_description"
-        run: "python -m twine check dist/*"
-
-
-  install-dev:
-    name: Verify dev env
-    runs-on: "${{ matrix.os }}"
-    strategy:
-      matrix:
-        os: ["ubuntu-latest", "windows-latest", "macos-latest"]
-
-    steps:
-      - uses: "actions/checkout@v2"
-      - uses: "actions/setup-python@v2"
-        with:
-          python-version: ${{env.PYTHON_LATEST}}
-      - run: "python -m pip install -e .[dev]"
-      - run: "python -m argon2 -n 1 -t 1 -m 8 -p 1"
--- a/.github/workflows/pypi-package.yml
+++ b/.github/workflows/pypi-package.yml
@ -0,0 +1,77 @@
+---
+name: Build & upload PyPI package
+
+on:
+  push:
+    branches: [main]
+    tags: ["*"]
+  release:
+    types:
+      - published
+  workflow_dispatch:
+
+
+jobs:
+  # Always build & lint package.
+  build-package:
+    name: Build & verify package
+    runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0
+        with:
+          attest-build-provenance-github: 'true'
+
+
+  # Upload to Test PyPI on every commit on main.
+  release-test-pypi:
+    name: Publish in-dev package to test.pypi.org
+    environment: release-test-pypi
+    if: github.repository_owner == 'hynek' && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    needs: build-package
+
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download packages built by build-and-inspect-python-package
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: Packages
+          path: dist
+
+      - name: Upload package to Test PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
+        with:
+          repository-url: https://test.pypi.org/legacy/
+
+
+  # Upload to real PyPI on GitHub Releases.
+  release-pypi:
+    name: Publish released package to pypi.org
+    environment: release-pypi
+    if: github.repository_owner == 'hynek' && github.event.action == 'published'
+    runs-on: ubuntu-latest
+    needs: build-package
+
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download packages built by build-and-inspect-python-package
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: Packages
+          path: dist
+
+      - name: Upload package to PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@ -0,0 +1,39 @@
+# https://github.com/woodruffw/zizmor
+name: Zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["*"]
+
+permissions:
+  contents: read
+
+
+jobs:
+  zizmor:
+    name: Zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: zizmor
--- a/.gitignore
+++ b/.gitignore
@ -1,15 +1,16 @@
-*.dylib
-*.egg-info
 *.pyc
-*.so
+.DS_Store
 .cache
 .coverage
 .coverage.*
-.eggs
+.direnv
+.envrc
 .hypothesis
+.mypy_cache
 .pytest_cache/
 .tox
+.vscode
 __pycache__
-_build
 dist
-pip-wheel-metadata/
+docs/_build/
+Justfile
--- a/.gitmodules
+++ b/.gitmodules
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -3,27 +3,28 @@ ci:
  autoupdate_schedule: monthly

 repos:
-  - repo: https://github.com/psf/black
-    rev: 21.12b0
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.15.12
    hooks:
-      - id: black
-        language_version: python3.10
+      - id: ruff-check
+        args: [--fix, --exit-non-zero-on-fix]
+      - id: ruff-format

-  - repo: https://github.com/PyCQA/isort
-    rev: 5.10.1
+  - repo: https://github.com/econchick/interrogate
+    rev: 1.7.0
    hooks:
-      - id: isort
-        additional_dependencies: [toml]
+      - id: interrogate
+        args: [tests]

-  - repo: https://github.com/PyCQA/flake8
-    rev: 4.0.1
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.4.2
    hooks:
-      - id: flake8
-        language_version: python3.10
+      - id: codespell

  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.0.1
+    rev: v6.0.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
-      - id: debug-statements
+      - id: check-toml
+      - id: check-yaml
--- a/.python-version-default
+++ b/.python-version-default
@ -0,0 +1 @@
+3.13
--- a/.readthedocs.yaml
+++ b/.readthedocs.yaml
@ -0,0 +1,20 @@
+---
+version: 2
+
+build:
+  os: ubuntu-lts-latest
+  tools:
+    # Keep version in sync with tox.ini/docs.
+    python: "3.13"
+  jobs:
+    create_environment:
+      # Need the tags to calculate the version (sometimes).
+      - git fetch --tags
+
+      - asdf plugin add uv
+      - asdf install uv latest
+      - asdf global uv latest
+
+    build:
+      html:
+        - uvx --with tox-uv tox run -e docs-build -- $READTHEDOCS_OUTPUT
--- a/.readthedocs.yml
+++ b/.readthedocs.yml
@ -1,19 +0,0 @@
---
-version: 2
-formats: all
-
-build:
-  os: ubuntu-20.04
-  tools:
-    # Keep version in sync with tox.ini (docs and gh-actions).
-    python: "3.10"
-
-python:
-  install:
-    - method: pip
-      path: .
-      extra_requirements:
-        - docs
-
-submodules:
-  include: all
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@ -1,9 +0,0 @@
-Credits & License
-=================
-
-*argon2-cffi* is maintained by `Hynek Schlawack <https://hynek.me/>`_ and released under the `MIT license <https://github.com/hynek/argon2-cffi/blob/main/LICENSE>`_.
-
-The development is kindly supported by `Variomedia AG <https://www.variomedia.de/>`_.
-Please consider `supporting me <https://hynek.me/say-thanks/>`_ too!
-
-A full list of contributors can be found in GitHub's `overview <https://github.com/hynek/argon2-cffi/graphs/contributors>`_.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,31 +1,77 @@
 # Changelog

-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Calendar Versioning](https://calver.org/).
+All notable changes to this project will be documented in this file.

-The **first digit** of the version is the year.
-The **second digit** is incremented with each release, starting at 1 for each year.
-The **third digit** is when we need to start branches for older releases (only for emergencies).
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Calendar Versioning](https://calver.org/).

---
+The **first number** of the version is the year.
+The **second number** is incremented with each release, starting at 1 for each year.
+The **third number** is when we need to start branches for older releases (only for emergencies).

-*argon2-cffi* has a very strong backward compatibility policy.
-Generally speaking, you shouldn't ever be afraid of updating.
-
-Whenever breaking changes are needed, they are:
-
-1.  …announced here in the changelog.
-2.  …the old behavior raises a `DeprecationWarning` for a year (if possible).
-3.  …are done with another announcement in the changelog.
-
-What explicitly *may* change over time are the default hashing parameters and the behavior of the [CLI interface](https://argon2-cffi.readthedocs.io/en/stable/cli.html).
+You can find our backwards-compatibility policy [here](https://github.com/hynek/argon2-cffi/blob/main/.github/SECURITY.md).

 <!-- changelog follows -->

+
+## [Unreleased](https://github.com/hynek/argon2-cffi/compare/25.1.0...HEAD)
+
+
+## [25.1.0](https://github.com/hynek/argon2-cffi/compare/23.1.0...25.1.0) - 2025-06-03
+
+### Added
+
+- Official support for Python 3.13 and 3.14.
+  No code changes were necessary.
+
+
+### Removed
+
+- Python 3.7 and 3.8 are not supported anymore.
+  [#186](https://github.com/hynek/argon2-cffi/pull/186)
+
+
+### Changed
+
+- `argon2.PasswordHasher.check_needs_rehash()` now also accepts bytes like the rest of the API.
+  [#174](https://github.com/hynek/argon2-cffi/pull/174)
+
+- Improved parameter compatibility handling for Pyodide / WebAssembly environments.
+  [#190](https://github.com/hynek/argon2-cffi/pull/190)
+
+
+## [23.1.0](https://github.com/hynek/argon2-cffi/compare/21.3.0...23.1.0) - 2023-08-15
+
+### Removed
+
+- Python 3.6 is not supported anymore.
+
+
+### Deprecated
+
+- The `InvalidHash` exception is deprecated in favor of `InvalidHashError`.
+  No plans for removal currently exist and the names can (but shouldn't) be used interchangeably.
+
+- `argon2.hash_password()`, `argon2.hash_password_raw()`, and `argon2.verify_password()` that have been soft-deprecated since 2016 are now hard-deprecated.
+  They now raise `DeprecationWarning`s and will be removed in 2024.
+
+
+### Added
+
+- Official support for Python 3.11 and 3.12.
+  No code changes were necessary.
+
+- `argon2.exceptions.InvalidHashError` as a replacement for `InvalidHash`.
+
+- *salt* parameter to `argon2.PasswordHasher.hash()` to allow for custom salts.
+  This is only useful for specialized use-cases -- leave it on None unless you know exactly what you are doing.
+  [#153](https://github.com/hynek/argon2-cffi/pull/153)
+
+
 ## [21.3.0](https://github.com/hynek/argon2-cffi/compare/21.2.0...21.3.0) - 2021-12-11

 ### Fixed

- While the last release added type hints, the fact that it's been misssing a `py.typed` file made *Mypy* ignore them.
+- While the last release added type hints, the fact that it's been missing a `py.typed` file made Mypy ignore them.
  [#113](https://github.com/hynek/argon2-cffi/pull/113)


@ -35,10 +81,10 @@ What explicitly *may* change over time are the default hashing parameters and th

 - Python 3.5 is not supported anymore.

- The *CFFI* bindings have been extracted into a separate project: [*argon2-cffi-bindings*]
+- The CFFI bindings have been extracted into a separate project: [*argon2-cffi-bindings*]
  This makes *argon2-cffi* a Python-only project und should make it easier to contribute to and have more frequent releases with high-level features.

-  This change is breaking for users who want to use a system-wide installation of *Argon2* instead of our vendored code, because the argument to the ``--no-binary`` argument changed.
+  This change is breaking for users who want to use a system-wide installation of Argon2 instead of our vendored code, because the argument to the ``--no-binary`` argument changed.
  Please refer to the [installation guide](https://argon2-cffi.readthedocs.io/en/stable/installation.html).


@ -48,7 +94,7 @@ What explicitly *may* change over time are the default hashing parameters and th
  Including:
    - Apple Silicon via `universal2`
    - Linux on `amd64` and `arm64`
-    - [*musl libc*](https://musl.libc.org) ([*Alpine* Linux!](https://www.alpinelinux.org)) on `i686`, `amd64`, and `arm64`
+    - [*musl libc*](https://musl.libc.org) ([Alpine Linux!](https://www.alpinelinux.org)) on `i686`, `amd64`, and `arm64`
    - PyPy 3.8

  We hope to provide wheels for Windows on `arm64` soon, but are waiting for GitHub Actions to support that.
@ -72,18 +118,18 @@ What explicitly *may* change over time are the default hashing parameters and th

 ## [21.1.0](https://github.com/hynek/argon2-cffi/compare/20.1.0...21.1.0) - 2021-08-29

-Vendoring *Argon2* @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)
+Vendoring Argon2 @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)

 ### Removed

- Microsoft stopped providing the necessary SDKs to ship Python 2.7 wheels and currenly the downloads amount to 0.09%.
+- Microsoft stopped providing the necessary SDKs to ship Python 2.7 wheels and currently the downloads amount to 0.09%.
  Therefore we have decided that Python 2.7 is not supported anymore.


 ### Changed

 - There are indeed no changes whatsoever to the code of *argon2-cffi*.
-  The *Argon2* project also hasn't tagged a new release since July 2019.
+  The Argon2 project also hasn't tagged a new release since July 2019.
  There also don't seem to be any important pending fixes.

  This release is mainly about improving the way binary wheels are built (`abi3` on all platforms).
@ -91,17 +137,17 @@ Vendoring *Argon2* @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/6

 ## [20.1.0](https://github.com/hynek/argon2-cffi/compare/19.2.0...20.1.0) - 2020-05-11

-Vendoring *Argon2* @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)
+Vendoring Argon2 @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)


 ### Added

- It is now possible to manually override the detection of *SSE2* using the `ARGON2_CFFI_USE_SSE2` environment variable.
+- It is now possible to manually override the detection of SSE2 using the `ARGON2_CFFI_USE_SSE2` environment variable.


 ## [19.2.0](https://github.com/hynek/argon2-cffi/compare/18.3.0...19.1.0) - 2019-10-27

-Vendoring *Argon2* @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)
+Vendoring Argon2 @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)

 ### Removed

@ -118,16 +164,16 @@ Vendoring *Argon2* @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/6

 ## [19.1.0](https://github.com/hynek/argon2-cffi/compare/18.3.0...19.1.0) - 2019-01-17

-Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
+Vendoring Argon2 @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)

 ### Added

- Added support for *Argon2* v1.2 hashes in `argon2.extract_parameters()`.
+- Added support for Argon2 v1.2 hashes in `argon2.extract_parameters()`.


 ## [18.3.0](https://github.com/hynek/argon2-cffi/compare/18.2.0...18.3.0) - 2018-08-19

-Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
+Vendoring Argon2 @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)

 ### Added

@ -136,13 +182,13 @@ Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/6

 ## [18.2.0](https://github.com/hynek/argon2-cffi/compare/18.1.0...18.2.0) - 2018-08-19

-Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
+Vendoring Argon2 @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)

 ### Changed

 - The hash type for `argon2.PasswordHasher` is Argon2**id** now.

-  This decision has been made based on the recommendations in the latest [*Argon2* RFC draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-04#section-4).
+  This decision has been made based on the recommendations in the latest [Argon2 RFC draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-04#section-4).
  [#33](https://github.com/hynek/argon2-cffi/issues/33)
  [#34](https://github.com/hynek/argon2-cffi/pull/34)

@ -154,7 +200,7 @@ Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/6

 - To make the change of hash type backward compatible, `argon2.PasswordHasher.verify()` now determines the type of the hash and verifies it accordingly.

- To allow for bespoke decisions about upgrading *Argon2* parameters, it's now possible to extract them from a hash via the `argon2.extract_parameters()` function.
+- To allow for bespoke decisions about upgrading Argon2 parameters, it's now possible to extract them from a hash via the `argon2.extract_parameters()` function.
  [#41](https://github.com/hynek/argon2-cffi/pull/41)

 - Additionally `argon2.PasswordHasher` now has a `check_needs_rehash()` method that allows to verify whether a hash has been created with the instance's parameters or whether it should be rehashed.
@ -163,16 +209,16 @@ Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/6

 ## [18.1.0](https://github.com/hynek/argon2-cffi/compare/16.3.0...18.1.0) - 2018-01-06

-Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
+Vendoring Argon2 @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)

 ### Added

- It is now possible to use the *argon2-cffi* bindings against an *Argon2* library that is provided by the system.
+- It is now possible to use the *argon2-cffi* bindings against an Argon2 library that is provided by the system.


 ## [16.3.0](https://github.com/hynek/argon2-cffi/compare/16.2.0...16.3.0) - 2016-11-10

-Vendoring *Argon2* @ [1c4fc41f81f358283755eea88d4ecd05e43b7fd3](https://github.com/P-H-C/phc-winner-argon2/tree/1c4fc41f81f358283755eea88d4ecd05e43b7fd3) (20161029)
+Vendoring Argon2 @ [1c4fc41f81f358283755eea88d4ecd05e43b7fd3](https://github.com/P-H-C/phc-winner-argon2/tree/1c4fc41f81f358283755eea88d4ecd05e43b7fd3) (20161029)

 ### Added

@ -189,17 +235,17 @@ Vendoring *Argon2* @ [1c4fc41f81f358283755eea88d4ecd05e43b7fd3](https://github.c

 ## [16.2.0](https://github.com/hynek/argon2-cffi/compare/16.1.0...16.2.0) - 2016-09-10

-Vendoring *Argon2* @ [4844d2fee15d44cb19296ddf36029326d17c5aa3](https://github.com/P-H-C/phc-winner-argon2/tree/4844d2fee15d44cb19296ddf36029326d17c5aa3)
+Vendoring Argon2 @ [4844d2fee15d44cb19296ddf36029326d17c5aa3](https://github.com/P-H-C/phc-winner-argon2/tree/4844d2fee15d44cb19296ddf36029326d17c5aa3)

 ### Fixed

- Fixed compilation on debian jessie.
+- Fixed compilation on Debian 8 (Jessie).
  [#13](https://github.com/hynek/argon2-cffi/pull/13)


 ## [16.1.0](https://github.com/hynek/argon2-cffi/compare/16.0.0...16.1.0) - 2016-04-19

-Vendoring *Argon2* @ [00aaa6604501fade85853a4b2f5695611ff6e7c5](https://github.com/P-H-C/phc-winner-argon2/tree/00aaa6604501fade85853a4b2f5695611ff6e7c5).
+Vendoring Argon2 @ [00aaa6604501fade85853a4b2f5695611ff6e7c5](https://github.com/P-H-C/phc-winner-argon2/tree/00aaa6604501fade85853a4b2f5695611ff6e7c5).

 ### Added

@ -208,7 +254,7 @@ Vendoring *Argon2* @ [00aaa6604501fade85853a4b2f5695611ff6e7c5](https://github.c

 ### Changed

- Add support for [*Argon2* 1.3](https://mailarchive.ietf.org/arch/msg/cfrg/beOzPh41Hz3cjl5QD7MSRNTi3lA/).
+- Add support for [Argon2 1.3](https://mailarchive.ietf.org/arch/msg/cfrg/beOzPh41Hz3cjl5QD7MSRNTi3lA/).
  Old hashes remain functional but opportunistic rehashing is strongly recommended.

 ### Removed
@ -224,7 +270,7 @@ Vendoring *Argon2* @ [00aaa6604501fade85853a4b2f5695611ff6e7c5](https://github.c

 ## [16.0.0](https://github.com/hynek/argon2-cffi/compare/15.0.1...16.0.0) - 2016-01-02

-Vendoring *Argon2* @ [421dafd2a8af5cbb215e16da5953663eb101d139](https://github.com/P-H-C/phc-winner-argon2/tree/421dafd2a8af5cbb215e16da5953663eb101d139).
+Vendoring Argon2 @ [421dafd2a8af5cbb215e16da5953663eb101d139](https://github.com/P-H-C/phc-winner-argon2/tree/421dafd2a8af5cbb215e16da5953663eb101d139).

 ### Deprecated

@ -243,7 +289,7 @@ Vendoring *Argon2* @ [421dafd2a8af5cbb215e16da5953663eb101d139](https://github.c

 ## [15.0.1](https://github.com/hynek/argon2-cffi/compare/15.0.0...15.0.1) - 2015-12-18

-Vendoring *Argon2* @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).
+Vendoring Argon2 @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).

 ### Fixed

@ -252,11 +298,11 @@ Vendoring *Argon2* @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.c

 ## [15.0.0](https://github.com/hynek/argon2-cffi/compare/15.0.0b5...15.0.0) - 2015-12-18

-Vendoring *Argon2* @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).
+Vendoring Argon2 @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).

 ### Added

- Conditionally use the [*SSE2*](https://en.wikipedia.org/wiki/SSE2)-optimized version of `argon2` on x86 architectures.
+- Conditionally use the [SSE2](https://en.wikipedia.org/wiki/SSE2)-optimized version of `argon2` on x86 architectures.

 ### Changed

@ -275,13 +321,13 @@ Vendoring *Argon2* @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.c

 ## [15.0.0b5](https://github.com/hynek/argon2-cffi/tree/15.0.0b5) - 2015-12-10

-Vendoring *Argon2* @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).
+Vendoring Argon2 @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).

 ### Added

 - Initial work.
  Previous betas were only for fixing Windows packaging.
-  The authors of *Argon2* were kind enough to [help me](https://github.com/P-H-C/phc-winner-argon2/issues/44) to get it building under Visual Studio 2008 that we’re forced to use for Python 2.7 on Windows.
+  The authors of Argon2 were kind enough to [help me](https://github.com/P-H-C/phc-winner-argon2/issues/44) to get it building under Visual Studio 2008 that we’re forced to use for Python 2.7 on Windows.


 [*argon2-cffi-bindings*]: https://github.com/hynek/argon2-cffi-bindings
--- a/FAQ.md
+++ b/FAQ.md
@ -0,0 +1,27 @@
+# Frequently Asked Questions
+
+## I'm using *bcrypt* / *PBKDF2* / *scrypt* / *yescrypt*, do I need to migrate?
+
+Using password hashes that aren't memory hard carries a certain risk but there's **no immediate danger or need for action**.
+If however you are deciding how to hash password *today*, Argon2 is the superior, future-proof choice.
+
+But if you already use one of the hashes mentioned in the question, you should be fine for the foreseeable future.
+If you're using *scrypt* or *yescrypt*, you will be probably fine for good.
+
+
+## Why do the `verify()` methods raise an Exception instead of returning `False`?
+
+1.  The Argon2 library had no concept of a "wrong password" error in the beginning.
+    Therefore when writing these bindings, an exception with the full error had to be raised so you could inspect what went actually wrong.
+
+    Changing that now would be a very dangerous break of backwards-compatibility.
+
+2.  In my opinion, a wrong password should raise an exception such that it can't pass unnoticed by accident.
+    See also The Zen of Python: "Errors should never pass silently."
+
+3.  It's more [Pythonic](https://docs.python.org/3/glossary.html#term-EAFP).
+
+
+## Does *argon2-cffi* release the GIL?
+
+[Yes](https://cffi.readthedocs.io/en/latest/ref.html#conversions).
--- a/FAQ.rst
+++ b/FAQ.rst
@ -1,18 +0,0 @@
-Frequently Asked Questions
-==========================
-
-I'm using *bcrypt*/*PBKDF2*/*scrypt*/*yescrypt*, do I need to migrate?
-  Using password hashes that aren't memory hard carries a certain risk but there's **no immediate danger or need for action**.
-  If however you are deciding how to hash password *today*, *Argon2* is the superior, future-proof choice.
-
-  But if you already use one of the hashes mentioned in the question, you should be fine for the foreseeable future.
-  If you're using *scrypt* or *yescrypt*, you will be probably fine for good.
-
-Why do the ``verify()`` methods raise an Exception instead of returning ``False``?
-   #. The *Argon2* library had no concept of a "wrong password" error in the beginning.
-      Therefore when writing these bindings, an exception with the full error had to be raised so you could inspect what went actually wrong.
-
-      It goes without saying that it's impossible to switch now for backward-compatibility reasons.
-   #. In my opinion, a wrong password should raise an exception such that it can't pass unnoticed by accident.
-      See also The Zen of Python: "Errors should never pass silently."
-   #. It's more `Pythonic <https://docs.python.org/3/glossary.html#term-EAFP>`_.
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2015 Hynek Schlawack
+Copyright (c) 2015 Hynek Schlawack and the argon2-cffi contributors

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/README.md
+++ b/README.md
@ -0,0 +1,54 @@
+# *argon2-cffi*: Argon2 for Python
+
+[![Documentation](https://img.shields.io/badge/Docs-Read%20The%20Docs-black)](https://argon2-cffi.readthedocs.io/)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6671/badge)](https://bestpractices.coreinfrastructure.org/projects/6671)
+[![PyPI version](https://img.shields.io/pypi/v/argon2-cffi)](https://pypi.org/project/argon2-cffi/)
+[![Downloads / Month](https://static.pepy.tech/personalized-badge/argon2-cffi?period=month&units=international_system&left_color=grey&right_color=blue&left_text=Downloads%20/%20Month)](https://pepy.tech/project/argon2-cffi)
+
+<!-- begin short -->
+<!-- begin pypi -->
+
+[Argon2](https://github.com/p-h-c/phc-winner-argon2) won the [Password Hashing Competition](https://www.password-hashing.net/) and *argon2-cffi* is the simplest way to use it in Python:
+
+```pycon
+>>> from argon2 import PasswordHasher
+>>> ph = PasswordHasher()
+>>> hash = ph.hash("correct horse battery staple")
+>>> hash  # doctest: +SKIP
+'$argon2id$v=19$m=65536,t=3,p=4$MIIRqgvgQbgj220jfp0MPA$YfwJSVjtjSU0zzV/P3S9nnQ/USre2wvJMjfCIjrTQbg'
+>>> ph.verify(hash, "correct horse battery staple")
+True
+>>> ph.check_needs_rehash(hash)
+False
+>>> ph.verify(hash, "Tr0ub4dor&3")
+Traceback (most recent call last):
+  ...
+argon2.exceptions.VerifyMismatchError: The password does not match the supplied hash
+
+```
+<!-- end short -->
+
+## Project Links
+
+- [**PyPI**](https://pypi.org/project/argon2-cffi/)
+- [**GitHub**](https://github.com/hynek/argon2-cffi)
+- [**Documentation**](https://argon2-cffi.readthedocs.io/)
+- [**Changelog**](https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md)
+- [**Funding**](https://hynek.me/say-thanks/)
+- The low-level Argon2 CFFI bindings are maintained in the separate [*argon2-cffi-bindings*](https://github.com/hynek/argon2-cffi-bindings) project.
+
+<!-- end pypi -->
+
+## Credits
+
+*argon2-cffi* is maintained by [Hynek Schlawack](https://hynek.me/).
+
+The development is kindly supported by my employer [Variomedia AG](https://www.variomedia.de/), *argon2-cffi* [Tidelift subscribers](https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek), and my amazing [GitHub Sponsors](https://github.com/sponsors/hynek).
+
+
+## *argon2-cffi* for Enterprise
+
+Available as part of the [Tidelift Subscription](https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).
+
+The maintainers of *argon2-cffi* and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open-source packages you use to build your applications.
+Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use.
--- a/README.rst
+++ b/README.rst
@ -1,68 +0,0 @@
-===================
-*Argon2* for Python
-===================
-
-.. image:: https://img.shields.io/badge/Docs-Read%20The%20Docs-black
-   :target: https://argon2-cffi.readthedocs.io/
-   :alt: Documentation
-
-.. image:: https://img.shields.io/badge/license-MIT-C06524
-   :target: https://github.com/hynek/argon2-cffi/blob/main/LICENSE
-   :alt: License: MIT
-
-.. image:: https://img.shields.io/pypi/v/argon2-cffi
-   :target: https://pypi.org/project/argon2-cffi/
-   :alt: PyPI version
-
-.. image:: https://static.pepy.tech/personalized-badge/argon2-cffi?period=month&units=international_system&left_color=grey&right_color=blue&left_text=Downloads%20/%20Month
-   :target: https://pepy.tech/project/argon2-cffi
-   :alt: Downloads / Month
-
-
-.. -begin-short-
-
-`Argon2 <https://github.com/p-h-c/phc-winner-argon2>`_ won the `Password Hashing Competition <https://www.password-hashing.net/>`_ and *argon2-cffi* is the simplest way to use it in Python and PyPy:
-
-.. code-block:: pycon
-
-  >>> from argon2 import PasswordHasher
-  >>> ph = PasswordHasher()
-  >>> hash = ph.hash("correct horse battery staple")
-  >>> hash  # doctest: +SKIP
-  '$argon2id$v=19$m=65536,t=3,p=4$MIIRqgvgQbgj220jfp0MPA$YfwJSVjtjSU0zzV/P3S9nnQ/USre2wvJMjfCIjrTQbg'
-  >>> ph.verify(hash, "correct horse battery staple")
-  True
-  >>> ph.check_needs_rehash(hash)
-  False
-  >>> ph.verify(hash, "Tr0ub4dor&3")
-  Traceback (most recent call last):
-    ...
-  argon2.exceptions.VerifyMismatchError: The password does not match the supplied hash
-
-.. -end-short-
-
-
-.. -begin-meta-
-
-Project Information
-===================
-
-
-*argon2-cffi* is available from `PyPI <https://pypi.org/project/argon2-cffi/>`_, the documentation lives at `Read the Docs <https://argon2-cffi.readthedocs.io/>`_, the code on `GitHub <https://github.com/hynek/argon2-cffi>`_.
-The low-level Argon2 CFFI bindings are maintained in the separate project `argon2-cffi-bindings <https://github.com/hynek/argon2-cffi-bindings>`_.
-
-It targets Python 3.6 and newer, and PyPy3.
-The last version that works with Python 2.7 is 20.1.0, and the last version that works with Python 3.5 is 21.1.0.
-
-*argon2-cffi* implements *Argon2* version 1.3, as described in
-`Argon2: the memory-hard function for password hashing and other applications <https://www.cryptolux.org/images/0/0d/Argon2.pdf>`_.
-
-
-*argon2-cffi* for Enterprise
----------------------------
-
-Available as part of the Tidelift Subscription.
-
-The maintainers of *argon2-cffi* and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. `Learn more. <https://tidelift.com/subscription/pkg/pypi-argon2-cffi?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise&utm_term=repo>`_
-
-.. -end-meta-
--- a/docs/_static/custom.css
+++ b/docs/_static/custom.css
@ -0,0 +1,10 @@
+@import url('https://rsms.me/inter/inter.css');
+@import url('https://assets.hynek.me/css/bm.css');
+
+
+:root {
+  font-feature-settings: 'liga' 1, 'calt' 1; /* fix for Chrome */
+}
+@supports (font-variation-settings: normal) {
+  :root { font-family: InterVariable, sans-serif; }
+}
--- a/docs/api.rst
+++ b/docs/api.rst
@ -3,44 +3,6 @@ API Reference

 .. module:: argon2

-*argon2-cffi* comes with an high-level API and uses the officially recommended low-memory *Argon2* parameters that result in a verification time of 40--50ms on recent-ish hardware.
-
-.. warning::
-
-   The current memory requirement is set to rather conservative 64 MB.
-   However, in memory constrained environments such as *Docker* containers that can lead to problems.
-   One possible non-obvious symptom are apparent freezes that are caused by swapping.
-
-   Please check :doc:`parameters` for more details.
-
-Unless you have any special needs, all you need to know is:
-
-.. doctest::
-
-  >>> from argon2 import PasswordHasher
-  >>> ph = PasswordHasher()
-  >>> hash = ph.hash("correct horse battery staple")
-  >>> hash  # doctest: +SKIP
-  '$argon2id$v=19$m=65536,t=3,p=4$MIIRqgvgQbgj220jfp0MPA$YfwJSVjtjSU0zzV/P3S9nnQ/USre2wvJMjfCIjrTQbg'
-  >>> ph.verify(hash, "correct horse battery staple")
-  True
-  >>> ph.check_needs_rehash(hash)
-  False
-  >>> ph.verify(hash, "Tr0ub4dor&3")
-  Traceback (most recent call last):
-    ...
-  argon2.exceptions.VerifyMismatchError: The password does not match the supplied hash
-
-
-A login function could thus look like this:
-
-.. literalinclude:: login_example.py
-   :language: python
-
----
-
-While the :class:`PasswordHasher` class has the aspiration to be good to use out of the box, it has all the parametrization you'll need:
-
 .. autoclass:: PasswordHasher
  :members: from_parameters, hash, verify, check_needs_rehash

@ -52,7 +14,8 @@ If you don't specify any parameters, the following constants are used:
 .. data:: DEFAULT_MEMORY_COST
 .. data:: DEFAULT_PARALLELISM

-They are taken from :data:`argon2.profiles.RFC_9106_LOW_MEMORY`.
+They are taken from :data:`argon2.profiles.RFC_9106_LOW_MEMORY`, but they may vary depending on the platform.
+You can use :func:`argon2.profiles.get_default_parameters` to get the current platform's defaults.


 Profiles
@ -117,6 +80,8 @@ That should give you a feeling on how they perform in *your* environment.
   .. versionadded:: 21.2.0


+.. autofunction:: argon2.profiles.get_default_parameters
+
 .. _`RFC 9106`: https://www.rfc-editor.org/rfc/rfc9106.html


@ -129,8 +94,13 @@ Exceptions

 .. autoexception:: argon2.exceptions.HashingError

+.. autoexception:: argon2.exceptions.InvalidHashError
+
 .. autoexception:: argon2.exceptions.InvalidHash

+.. autoexception:: argon2.exceptions.UnsupportedParametersError
+
+

 Utilities
 ---------
@ -145,8 +115,23 @@ Low Level

 .. automodule:: argon2.low_level

-.. autoclass:: Type
-  :members: D, I, ID
+.. autoclass:: Type()
+
+   .. attribute:: D
+
+      Argon2\ **d** is faster and uses data-depending memory access.
+      That makes it less suitable for hashing secrets and more suitable for cryptocurrencies and applications with no threats from side-channel timing attacks.
+
+   .. attribute:: I
+
+      Argon2\ **i** uses data-independent memory access.
+      Argon2i is slower as it makes more passes over the memory to protect from tradeoff attacks.
+
+   .. attribute:: ID
+
+      Argon2\ **id** is a hybrid of Argon2i and Argon2d, using a combination of data-depending and data-independent memory accesses, which gives some of Argon2i's resistance to side-channel cache timing attacks and much of Argon2d's resistance to GPU cracking attacks.
+
+      .. versionadded:: 16.3.0

 .. autodata:: ARGON2_VERSION

@ -182,44 +167,66 @@ The super low-level ``argon2_core()`` function is exposed too if you need access
 .. autofunction:: core

 In order to use :func:`core`, you need access to *argon2-cffi*'s FFI objects.
-Therefore it is OK to use ``argon2.low_level.ffi`` and ``argon2.low_level.lib`` when working with it:
+Therefore, it is OK to use ``argon2.low_level.ffi`` and ``argon2.low_level.lib`` when working with it.
+For example, if you wanted to check the :rfc:`9106` test vectors for Argon2id that include a secret and associated data that both get mixed into the hash and aren't exposed by the high-level APIs:

 .. doctest::

-  >>> from argon2.low_level import ARGON2_VERSION, Type, core, ffi, lib
-  >>> pwd = b"secret"
-  >>> salt = b"12345678"
-  >>> hash_len = 8
-  >>> # Make sure you keep FFI objects alive until *after* the core call!
-  >>> cout = ffi.new("uint8_t[]", hash_len)
-  >>> cpwd = ffi.new("uint8_t[]", pwd)
-  >>> csalt = ffi.new("uint8_t[]", salt)
-  >>> ctx = ffi.new(
-  ...     "argon2_context *", dict(
-  ...         version=ARGON2_VERSION,
-  ...         out=cout, outlen=hash_len,
-  ...         pwd=cpwd, pwdlen=len(pwd),
-  ...         salt=csalt, saltlen=len(salt),
-  ...         secret=ffi.NULL, secretlen=0,
-  ...         ad=ffi.NULL, adlen=0,
-  ...         t_cost=1,
-  ...         m_cost=8,
-  ...         lanes=1, threads=1,
-  ...         allocate_cbk=ffi.NULL, free_cbk=ffi.NULL,
-  ...         flags=lib.ARGON2_DEFAULT_FLAGS,
+  >>> from argon2.low_level import Type, core, ffi, lib
+
+  >>> def low_level_hash(
+  ...        password, salt, secret, associated,
+  ...        hash_len, version, t_cost, m_cost, lanes, threads):
+  ...     cout = ffi.new("uint8_t[]", hash_len)
+  ...     cpwd = ffi.new("uint8_t[]", password)
+  ...     cad = ffi.new("uint8_t[]", associated)
+  ...     csalt = ffi.new("uint8_t[]", salt)
+  ...     csecret = ffi.new("uint8_t[]", secret)
+  ...
+  ...     ctx = ffi.new(
+  ...         "argon2_context *",
+  ...         {
+  ...             "out": cout,
+  ...             "outlen": hash_len,
+  ...             "version": version,
+  ...             "pwd": cpwd,
+  ...             "pwdlen": len(cpwd) - 1,
+  ...             "salt": csalt,
+  ...             "saltlen": len(csalt) - 1,
+  ...             "secret": csecret,
+  ...             "secretlen": len(csecret) - 1,
+  ...             "ad": cad,
+  ...             "adlen": len(cad) - 1,
+  ...             "t_cost": t_cost,
+  ...             "m_cost": m_cost,
+  ...             "lanes": lanes,
+  ...             "threads": threads,
+  ...             "allocate_cbk": ffi.NULL,
+  ...             "free_cbk": ffi.NULL,
+  ...             "flags": lib.ARGON2_DEFAULT_FLAGS,
+  ...         },
+  ...     )
+  ...
+  ...     assert lib.ARGON2_OK == core(ctx, Type.ID.value)
+  ...
+  ...     return bytes(ffi.buffer(ctx.out, ctx.outlen)).hex()
+
+  >>> password = bytes.fromhex(
+  ...    "0101010101010101010101010101010101010101010101010101010101010101"
+  ... )
+  >>> associated = bytes.fromhex("040404040404040404040404")
+  >>> salt = bytes.fromhex("02020202020202020202020202020202")
+  >>> secret = bytes.fromhex("0303030303030303")
+
+  >>> assert (
+  ...     "0d640df58d78766c08c037a34a8b53c9d01ef0452d75b65eb52520e96b01e659"
+  ...     == low_level_hash(
+  ...            password, salt, secret, associated,
+  ...            32, 19, 3, 32, 4, 4,
  ...     )
  ... )
-  >>> ctx
-  <cdata 'struct Argon2_Context *' owning 120 bytes>
-  >>> core(ctx, Type.D.value)
-  0
-  >>> out = bytes(ffi.buffer(ctx.out, ctx.outlen))
-  >>> out
-  b'\xb4\xe2HjO\x14d\x9b'
-  >>> out == argon2.low_level.hash_secret_raw(pwd, salt, 1, 8, 1, 8, Type.D)
-  True

-All constants and types on ``argon2.low_level.lib`` are guaranteed to stay as long they are not altered by *Argon2* itself.
+All constants and types on ``argon2.low_level.lib`` are guaranteed to stay as long they are not altered by Argon2 itself.

 .. autofunction:: error_to_str

@ -231,7 +238,7 @@ These APIs are from the first release of *argon2-cffi* and proved to live in an
 On one hand they have defaults and check parameters but on the other hand they only consume byte strings.

 Therefore the decision has been made to replace them by a high-level (:class:`argon2.PasswordHasher`) and a low-level (:mod:`argon2.low_level`) solution.
-There are no immediate plans to remove them though.
+They will be removed in 2024.

 .. autofunction:: argon2.hash_password
 .. autofunction:: argon2.hash_password_raw
--- a/docs/argon2.md
+++ b/docs/argon2.md
@ -0,0 +1,61 @@
+# What is Argon2?
+
+:::{note}
+**TL;DR**: Use {class}`argon2.PasswordHasher` with its default parameters to securely hash your passwords.
+
+You do **not** need to read or understand anything below this box.
+:::
+
+Argon2 is a secure password hashing algorithm.
+It is designed to have both a configurable runtime as well as memory consumption.
+
+This means that you can decide how long it takes to hash a password and how much memory is required.
+
+In September 2021, Argon2 has been standardized by the IETF in {rfc}`9106`.
+
+Argon2 comes in three variants: Argon2**d**, Argon2**i**, and Argon2**id**.
+Argon2**d**'s strength is the resistance against [time–memory trade-offs], while Argon2**i**'s focus is on resistance against [side-channel attacks].
+
+Accordingly, Argon2**i** was originally considered the correct choice for password hashing and password-based key derivation.
+In practice it turned out that a *combination* of d and i -- that combines their strengths -- is the better choice.
+And so Argon2**id** was born and is now considered the *main variant* -- and the only variant required by the RFC to be implemented.
+
+
+## Why “just use bcrypt” Is Not the Best Answer (Anymore)
+
+The current workhorses of password hashing are unquestionably [*bcrypt*] and [PBKDF2].
+And while they're still fine to use, the password cracking community embraced new technologies like [GPU]s and [ASIC]s to crack password in a highly parallel fashion.
+
+An effective measure against extreme parallelism proved making computation of password hashes also *memory* hard.
+The best known implementation of that approach is to date [*scrypt*].
+However according to the [Argon2 paper] [^outdated], page 2:
+
+> \[…\] the existence of a trivial time-memory tradeoff allows compact implementations with the same energy cost.
+
+Therefore a new algorithm was needed.
+This time future-proof and with committee-vetting instead of single implementers.
+
+[^outdated]: Please note that the paper is in some parts outdated.
+    For instance it predates the genesis of Argon2**id**.
+    Generally please refer to {rfc}`9106` instead.
+
+
+## Password Hashing Competition
+
+The [Password Hashing Competition] took place between 2012 and 2015 to find a new, secure, and future-proof password hashing algorithm.
+Previously the NIST was in charge but after certain events and [revelations] their integrity has been put into question by the general public.
+So a group of independent cryptographers and security researchers came together.
+
+In the end, Argon2 was [announced] as the winner.
+
+[announced]: https://groups.google.com/forum/#!topic/crypto-competitions/3QNdmwBS98o
+[argon2 paper]: https://www.password-hashing.net/argon2-specs.pdf
+[asic]: https://en.wikipedia.org/wiki/Application-specific_integrated_circuit
+[*bcrypt*]: https://en.wikipedia.org/wiki/Bcrypt
+[gpu]: https://hashcat.net/hashcat/
+[password hashing competition]: https://www.password-hashing.net/
+[pbkdf2]: https://en.wikipedia.org/wiki/PBKDF2
+[revelations]: https://en.wikipedia.org/wiki/Dual_EC_DRBG
+[*scrypt*]: https://en.wikipedia.org/wiki/Scrypt
+[side-channel attacks]: https://en.wikipedia.org/wiki/Side-channel_attack
+[time–memory trade-offs]: https://en.wikipedia.org/wiki/Space–time_tradeoff
--- a/docs/argon2.rst
+++ b/docs/argon2.rst
@ -1,62 +0,0 @@
-What is *Argon2*?
-=================
-
-.. note::
-
-  **TL;DR**: Use :class:`argon2.PasswordHasher` with its default parameters to securely hash your passwords.
-
-  You do **not** need to read or understand anything below this box.
-
-*Argon2* is a secure password hashing algorithm.
-It is designed to have both a configurable runtime as well as memory consumption.
-
-This means that you can decide how long it takes to hash a password and how much memory is required.
-
-*Argon2* comes in three variants:
-
-Argon2d
-  is faster and uses data-depending memory access, which makes it less suitable for hashing secrets and more suitable for cryptocurrencies and applications with no threats from side-channel timing attacks.
-
-Argon2i
-  uses data-independent memory access, which is preferred for password hashing and password-based key derivation.
-  Argon2i is slower as it makes more passes over the memory to protect from tradeoff attacks.
-
-Argon2id
-  is a hybrid of Argon2i and Argon2d, using a combination of data-depending and data-independent memory accesses, which gives some of Argon2i's resistance to side-channel cache timing attacks and much of Argon2d's resistance to GPU cracking attacks.
-
-
-Why “just use bcrypt” Is Not the Best Answer (Anymore)
------------------------------------------------------
-
-The current workhorses of password hashing are unquestionably bcrypt_ and PBKDF2_.
-And while they're still fine to use, the password cracking community embraced new technologies like GPU_\ s and ASIC_\ s to crack password in a highly parallel fashion.
-
-An effective measure against extreme parallelism proved making computation of password hashes also *memory* hard.
-The best known implementation of that approach is to date scrypt_.
-However according to the `Argon2 paper`_, page 2:
-
-  […] the existence of a trivial time-memory tradeoff allows compact implementations with the same energy cost.
-
-Therefore a new algorithm was needed.
-This time future-proof and with committee-vetting instead of single implementors.
-
-.. _bcrypt: https://en.wikipedia.org/wiki/Bcrypt
-.. _PBKDF2: https://en.wikipedia.org/wiki/PBKDF2
-.. _GPU: https://hashcat.net/hashcat/
-.. _ASIC: https://en.wikipedia.org/wiki/Application-specific_integrated_circuit
-.. _scrypt: https://en.wikipedia.org/wiki/Scrypt
-.. _Argon2 paper: https://www.password-hashing.net/argon2-specs.pdf
-
-
-Password Hashing Competition
----------------------------
-
-The `Password Hashing Competition`_ took place between 2012 and 2015 to find a new, secure, and future-proof password hashing algorithm.
-Previously the NIST was in charge but after certain events and revelations_ their integrity has been put into question by the general public.
-So a group of independent cryptographers and security researchers came together.
-
-In the end, *Argon2* was announced_ as the winner.
-
-.. _Password Hashing Competition: https://www.password-hashing.net/
-.. _revelations: https://en.wikipedia.org/wiki/Dual_EC_DRBG
-.. _announced: https://groups.google.com/forum/#!topic/crypto-competitions/3QNdmwBS98o
--- a/docs/cli.md
+++ b/docs/cli.md
@ -0,0 +1,24 @@
+# CLI
+
+To aid you with finding the parameters, *argon2-cffi* offers a CLI interface that can be accessed using `python -m argon2`.
+It will benchmark Argon2's password *verification* in the current environment:
+
+```console
+$ python -m argon2
+Running Argon2id 100 times with:
+hash_len: 32 bytes
+memory_cost: 65536 KiB
+parallelism: 4 threads
+time_cost: 3 iterations
+
+Measuring...
+
+45.7ms per password verification
+```
+
+You can use command line arguments to set hashing parameters.
+Either by setting them one by one (`-t` for time, `-m` for memory, `-p` for parallelism, `-l` for hash length), or by passing `--profile` followed by one of the names from {mod}`argon2.profiles`.
+In that case, the other parameters are ignored.
+If you don't pass any arguments as above, it runs with {class}`argon2.PasswordHasher`'s default values.
+
+This should make it much easier to determine the right parameters for your use case and your environment.
--- a/docs/cli.rst
+++ b/docs/cli.rst
@ -1,25 +0,0 @@
-CLI
-===
-
-To aid you with finding the parameters, *argon2-cffi* offers a CLI interface that can be accessed using ``python -m argon2``.
-It will benchmark *Argon2*’s password *verification* in the current environment:
-
-.. code-block:: console
-
-   $ python -m argon2
-   Running Argon2id 100 times with:
-   hash_len: 32 bytes
-   memory_cost: 65536 KiB
-   parallelism: 4 threads
-   time_cost: 3 iterations
-
-   Measuring...
-
-   45.7ms per password verification
-
-You can use command line arguments to set hashing parameters.
-Either by setting them one by one (``-t`` for time, ``-m`` for memory, ``-p`` for parallelism, ``-l`` for hash length), or by passing ``--profile`` followed by one of the names from :mod:`argon2.profiles`.
-In that case, the other parameters are ignored.
-If you don't pass any arguments as above, it runs with :class:`argon2.PasswordHasher`'s default values.
-
-This should make it much easier to determine the right parameters for your use case and your environment.
--- a/docs/conf.py
+++ b/docs/conf.py
@ -3,37 +3,29 @@
 from importlib import metadata


-# If extensions (or modules to document with autodoc) are in another directory,
-# add these directories to sys.path here. If the directory is relative to the
-# documentation root, use os.path.abspath to make it absolute, like shown here.
-# sys.path.insert(0, os.path.abspath('.'))
-
-# -- General configuration ------------------------------------------------
-
-# If your documentation needs a minimal Sphinx version, state it here.
-# needs_sphinx = '1.0'
-
 # Add any Sphinx extension module names here, as strings. They can be
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.

 extensions = [
+    "myst_parser",
    "notfound.extension",
    "sphinx.ext.autodoc",
    "sphinx.ext.doctest",
    "sphinx.ext.intersphinx",
    "sphinx.ext.todo",
+    "sphinx.ext.napoleon",
+    "sphinx_copybutton",
 ]

+myst_enable_extensions = ["deflist", "colon_fence"]
+
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ["_templates"]

 # The suffix of source filenames.
 source_suffix = ".rst"

-# The encoding of source files.
-# source_encoding = 'utf-8-sig'
-
 # The master toctree document.
 master_doc = "index"

@ -46,153 +38,49 @@ copyright = "2015, Hynek Schlawack"
 # built documents.
 #
 # The full version, including alpha/beta/rc tags.
-release = metadata.version("argon2-cffi")
-# The short X.Y version.
-version = release.rsplit(".", 1)[0]
+if "dev" in (release := metadata.version("argon2-cffi")):
+    release = version = "UNRELEASED"
+else:
+    # The short X.Y version.
+    version = release.rsplit(".", 1)[0]

-rst_epilog = f"""
-.. |changelog| replace:: What’s new?
-.. _changelog: https://github.com/hynek/argon2-cffi/blob/{release}/CHANGELOG.md
-"""  # noqa
+# Move type hints into the description block, instead of the func definition.
+autodoc_typehints = "description"
+autodoc_typehints_description_target = "documented"

-# In dev mode, always point to main branch. There's no tags yet.
-if release.endswith(".dev0"):
-    rst_epilog = rst_epilog.replace(release, "main")
-
-# The language for content autogenerated by Sphinx. Refer to documentation
-# for a list of supported languages.
-# language = None
-
-# There are two options for replacing |today|: either, you set today to some
-# non-false value, then it is used:
-# today = ''
-# Else, today_fmt is used as the format for a strftime call.
-# today_fmt = '%B %d, %Y'

 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
 exclude_patterns = ["_build"]

+# nitpick_ignore = []
+
 # The reST default role (used for this markup: `text`) to use for all
 # documents.
-# default_role = None
+default_role = "any"

 # If true, '()' will be appended to :func: etc. cross-reference text.
-# add_function_parentheses = True
-
-# If true, the current module name will be prepended to all description
-# unit titles (such as .. function::).
-# add_module_names = True
-
-# If true, sectionauthor and moduleauthor directives will be shown in the
-# output. They are ignored by default.
-# show_authors = False
-
-
-# A list of ignored prefixes for module index sorting.
-# modindex_common_prefix = []
-
-# If true, keep warnings as "system message" paragraphs in the built documents.
-# keep_warnings = False
+add_function_parentheses = True


 # -- Options for HTML output ----------------------------------------------

-# The theme to use for HTML and HTML Help pages.  See the documentation for
-# a list of builtin themes.
-
 html_theme = "furo"
-
-# Theme options are theme-specific and customize the look and feel of a theme
-# further.  For a list of options available for each theme, see the
-# documentation.
-# html_theme_options = {}
-
-# Add any paths that contain custom themes here, relative to this directory.
-# html_theme_path = []
-
-# The name for this set of Sphinx documents.  If None, it defaults to
-# "<project> v<release> documentation".
-# html_title = None
-
-# A shorter title for the navigation bar.  Default is the same as html_title.
-# html_short_title = None
-
-# The name of an image file (relative to this directory) to place at the top
-# of the sidebar.
-# html_logo = None
-
-# The name of an image file (within the static path) to use as favicon of the
-# docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
-# pixels large.
-# html_favicon = None
-
-# Add any paths that contain custom static files (such as style sheets) here,
-# relative to this directory. They are copied after the builtin static files,
-# so a file named "default.css" will overwrite the builtin "default.css".
-# html_static_path = ['_static']
-
-# Add any extra paths that contain custom files (such as robots.txt or
-# .htaccess) here, relative to this directory. These files are copied
-# directly to the root of the documentation.
-# html_extra_path = []
-
-# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
-# using the given strftime format.
-# html_last_updated_fmt = '%b %d, %Y'
-
-# If true, SmartyPants will be used to convert quotes and dashes to
-# typographically correct entities.
-# html_use_smartypants = True
-
-# Custom sidebar templates, maps document names to template names.
-# html_sidebars = {}
-
-# Additional templates that should be rendered to pages, maps page names to
-# template names.
-# html_additional_pages = {}
-
-# If false, no module index is generated.
-# html_domain_indices = True
-
-# If false, no index is generated.
-# html_use_index = True
-
-# If true, the index is split into individual pages for each letter.
-# html_split_index = False
-
-# If true, links to the reST sources are added to the pages.
-# html_show_sourcelink = True
-
-# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
-# html_show_sphinx = True
-
-# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
-# html_show_copyright = True
-
-# If true, an OpenSearch description file will be output, and all pages will
-# contain a <link> tag referring to it.  The value of this option must be the
-# base URL from which the finished HTML is served.
-# html_use_opensearch = ''
-
-# This is the file name suffix for HTML files (e.g. ".xhtml").
-# html_file_suffix = None
+html_theme_options = {
+    "top_of_page_buttons": [],
+    "light_css_variables": {
+        "font-stack": "Inter,sans-serif",
+        "font-stack--monospace": "BerkeleyMono, MonoLisa, ui-monospace, "
+        "SFMono-Regular, Menlo, Consolas, Liberation Mono, monospace",
+    },
+}
+html_static_path = ["_static"]
+html_css_files = ["custom.css"]

 # Output file base name for HTML help builder.
 htmlhelp_basename = "argon2-cffidoc"


-# -- Options for LaTeX output ---------------------------------------------
-
-latex_elements = {
-    # The paper size ('letterpaper' or 'a4paper').
-    # 'papersize': 'letterpaper',
-    # The font size ('10pt', '11pt' or '12pt').
-    # 'pointsize': '10pt',
-    # Additional stuff for the LaTeX preamble.
-    # 'preamble': '',
-}
-
 # Grouping the document tree into LaTeX files. List of tuples
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
@ -206,27 +94,6 @@ latex_documents = [
    )
 ]

-# The name of an image file (relative to this directory) to place at the top of
-# the title page.
-# latex_logo = None
-
-# For "manual" documents, if this is true, then toplevel headings are parts,
-# not chapters.
-# latex_use_parts = False
-
-# If true, show page references after internal links.
-# latex_show_pagerefs = False
-
-# If true, show URL addresses after external links.
-# latex_show_urls = False
-
-# Documents to append as an appendix to all manuals.
-# latex_appendices = []
-
-# If false, no module index is generated.
-# latex_domain_indices = True
-
-
 # -- Options for manual page output ---------------------------------------

 # One entry per manual page. List of tuples
@ -241,9 +108,6 @@ man_pages = [
    )
 ]

-# If true, show URL addresses after external links.
-# man_show_urls = False
-

 # -- Options for Texinfo output -------------------------------------------

@ -257,23 +121,10 @@ texinfo_documents = [
        "argon2-cffi Documentation",
        "Hynek Schlawack",
        "argon2-cffi",
-        "One line description of project.",
+        "Argon2 for Python",
        "Miscellaneous",
    )
 ]

-# Documents to append as an appendix to all manuals.
-# texinfo_appendices = []

-# If false, no module index is generated.
-# texinfo_domain_indices = True
-
-# How to display URL addresses: 'footnote', 'no', or 'inline'.
-# texinfo_show_urls = 'footnote'
-
-# If true, do not generate a @detailmenu in the "Top" node's menu.
-# texinfo_no_detailmenu = False
-
-
-# Example configuration for intersphinx: refer to the Python standard library.
-intersphinx_mapping = {"https://docs.python.org/3": None}
+intersphinx_mapping = {"python": ("https://docs.python.org/3", None)}
--- a/docs/faq.md
+++ b/docs/faq.md
@ -0,0 +1,2 @@
+```{include} ../FAQ.md
+```
--- a/docs/faq.rst
+++ b/docs/faq.rst
@ -1 +0,0 @@
-.. include:: ../FAQ.rst
--- a/docs/howto.md
+++ b/docs/howto.md
@ -0,0 +1,38 @@
+# How to Hash a Password
+
+*argon2-cffi* comes with an high-level API and uses the officially recommended low-memory Argon2 parameters that result in a verification time of 40--50ms on recent-ish hardware.
+
+:::{warning}
+The current memory requirement is set to rather conservative 64 MB.
+However, in memory constrained environments such as Docker containers that can lead to problems.
+One possible non-obvious symptom are apparent freezes that are caused by swapping.
+
+Please check {doc}`parameters` for more details.
+:::
+
+Unless you have any special requirements, all you need to know is:
+
+```python
+>>> from argon2 import PasswordHasher
+>>> ph = PasswordHasher()
+>>> hash = ph.hash("correct horse battery staple")
+>>> hash  # doctest: +SKIP
+'$argon2id$v=19$m=65536,t=3,p=4$MIIRqgvgQbgj220jfp0MPA$YfwJSVjtjSU0zzV/P3S9nnQ/USre2wvJMjfCIjrTQbg'
+>>> ph.verify(hash, "correct horse battery staple")
+True
+>>> ph.check_needs_rehash(hash)
+False
+>>> ph.verify(hash, "Tr0ub4dor&3")
+Traceback (most recent call last):
+...
+argon2.exceptions.VerifyMismatchError: The password does not match the supplied hash
+```
+
+A login function could thus look like this:
+
+```{literalinclude} login_example.py
+```
+
+---
+
+While the {class}`argon2.PasswordHasher` class has the aspiration to be good to use out of the box, it has all the parametrization you'll need.
--- a/docs/index.md
+++ b/docs/index.md
@ -0,0 +1,44 @@
+# *argon2-cffi*: Argon2 for Python
+
+Release **{sub-ref}`release`**  ([What's new?](https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md))
+
+```{include} ../README.md
+:end-before: <!-- end short -->
+:start-after: <!-- begin short -->
+```
+
+If you don't know where to start, learn {doc}`argon2` and take it from there!
+
+
+## Indices and Tables
+
+- {doc}`api`
+- {ref}`genindex`
+- {ref}`search`
+
+
+```{toctree}
+:hidden:
+:maxdepth: 1
+
+argon2
+installation
+howto
+api
+parameters
+cli
+faq
+```
+
+
+```{toctree}
+:hidden:
+:caption: Meta
+
+PyPI <https://pypi.org/project/argon2-cffi/>
+GitHub <https://github.com/hynek/argon2-cffi/>
+Changelog <https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md>
+Contributing <https://github.com/hynek/argon2-cffi/blob/main/.github/CONTRIBUTING.md>
+Security Policy <https://github.com/hynek/argon2-cffi/blob/main/.github/SECURITY.md>
+Funding <https://hynek.me/say-thanks/>
+```
--- a/docs/index.rst
+++ b/docs/index.rst
@ -1,41 +0,0 @@
-==================================
-*argon2-cffi*: *Argon2* for Python
-==================================
-
-Release v\ |release| (|changelog|_)
-
-
-.. include:: ../README.rst
-   :start-after: -begin-short-
-   :end-before: -end-short-
-
-
-User's Guide
-============
-
-.. toctree::
-   :maxdepth: 1
-
-   argon2
-   installation
-   api
-   parameters
-   cli
-   faq
-
-
-.. include:: ../README.rst
-   :start-after: -begin-meta-
-   :end-before: -end-meta-
-
-.. toctree::
-   :maxdepth: 1
-
-   license
-
-
-Indices and tables
-==================
-
-* :ref:`genindex`
-* :ref:`search`
--- a/docs/installation.md
+++ b/docs/installation.md
@ -0,0 +1,78 @@
+# Installation
+
+## Using a Vendored Argon2
+
+```console
+$ python -Im pip install argon2-cffi
+```
+
+should be all it takes.
+
+But since *argon2-cffi* depends on [argon2-cffi-bindings] that vendors Argon2's C code by default, it can lead to complications depending on the platform.
+
+The C code is known to compile and work on all common platforms (including x86, ARM, and PPC).
+On x86, an [SSE2]-optimized version is used.
+
+If something goes wrong, please try to update your *pip* package first:
+
+```console
+$ python -Im pip install -U pip
+```
+
+Overall this should be the safest bet because *argon2-cffi* has been specifically tested against the vendored version.
+
+
+### Wheels
+
+Binary [wheels](https://pythonwheels.com) for macOS, Windows, and Linux are provided on [PyPI] by [argon2-cffi-bindings].
+With a recent-enough *pip* they should be used automatically.
+
+
+### Source Distribution
+
+A working C compiler and [CFFI environment] are required to build the [argon2-cffi-bindings] dependency.
+If you've been able to compile Python CFFI extensions before, *argon2-cffi* should install without any problems.
+
+
+## Using a System-wide Installation of Argon2
+
+If you set `ARGON2_CFFI_USE_SYSTEM` to `1` (and *only* `1`), *argon2-cffi-bindings* will not build its bindings.
+However binary wheels are preferred by *pip* and Argon2 gets installed along with *argon2-cffi* anyway.
+
+Therefore you also have to instruct *pip* to use a source distribution of [argon2-cffi-bindings]:
+
+```console
+$ env ARGON2_CFFI_USE_SYSTEM=1 \
+    python -m pip install --no-binary=argon2-cffi-bindings argon2-cffi
+```
+
+This approach can lead to problems around your build chain and you can run into incompatibilities between Argon2 and *argon2-cffi* if the latter has been tested against a different version.
+
+**It is your own responsibility to deal with these risks if you choose this path.**
+
+:::{versionadded} 18.1.0
+:::
+
+:::{versionchanged} 21.2.0
+The `--no-binary` option value changed due to the outsourcing of the binary bindings.
+:::
+
+
+## Override Automatic SSE2 Detection
+
+Usually the build process tries to guess whether or not it should use [SSE2]-optimized code.
+Despite our best efforts, this can go wrong.
+
+Therefore you can use the `ARGON2_CFFI_USE_SSE2` environment variable to control the process:
+
+- If you set it to `1`, *argon2-cffi* will build **with** SSE2 support.
+- If you set it to `0`, *argon2-cffi* will build **without** SSE2 support.
+- If you set it to anything else, it will be ignored and *argon2-cffi* will try to guess.
+
+:::{versionadded} 20.1.0
+:::
+
+[argon2-cffi-bindings]: https://github.com/hynek/argon2-cffi-bindings
+[cffi environment]: https://cffi.readthedocs.io/en/latest/installation.html
+[pypi]: https://pypi.org/project/argon2-cffi-bindings/
+[sse2]: https://en.wikipedia.org/wiki/SSE2
--- a/docs/installation.rst
+++ b/docs/installation.rst
@ -1,81 +0,0 @@
-Installation
-============
-
-Using a Vendored *Argon2*
-------------------------
-
-.. code-block:: bash
-
-  python -m pip install argon2-cffi
-
-should be all it takes.
-
-But since *argon2-cffi* depends on `argon2-cffi-bindings`_ that vendors *Argon2*'s C code by default, it can lead to complications depending on the platform.
-
-The C code is known to compile and work on all common platforms (including x86, ARM, and PPC).
-On x86, an SSE2_-optimized version is used.
-
-If something goes wrong, please try to update your *cffi*, *pip* and *setuptools* packages first:
-
-.. code-block:: bash
-
-  python -m pip install -U cffi pip setuptools
-
-
-Overall this should be the safest bet because *argon2-cffi* has been specifically tested against the vendored version.
-
-
-Wheels
-^^^^^^
-
-Binary `wheels <https://pythonwheels.com>`_ for macOS, Windows, and Linux are provided on PyPI_ by `argon2-cffi-bindings`_.
-With a recent-enough *pip* and *setuptools*, they should be used automatically.
-
-
-Source Distribution
-^^^^^^^^^^^^^^^^^^^
-
-A working C compiler and `CFFI environment`_ are required to build the `argon2-cffi-bindings`_ dependency.
-If you've been able to compile Python CFFI extensions before, *argon2-cffi* should install without any problems.
-
-
-Using a System-wide Installation of *Argon2*
--------------------------------------------
-
-If you set ``ARGON2_CFFI_USE_SYSTEM`` to ``1`` (and *only* ``1``), *argon2-cffi-bindings* will not build its bindings.
-However binary wheels are preferred by *pip* and *Argon2* gets installed along with *argon2-cffi* anyway.
-
-Therefore you also have to instruct *pip* to use a source distribution of `argon2-cffi-bindings`_:
-
-.. code-block:: bash
-
-  env ARGON2_CFFI_USE_SYSTEM=1 \
-    python -m pip install --no-binary=argon2-cffi-bindings argon2-cffi
-
-This approach can lead to problems around your build chain and you can run into incompatibilities between *Argon2* and *argon2-cffi* if the latter has been tested against a different version.
-
-**It is your own responsibility to deal with these risks if you choose this path.**
-
-Available since version 18.1.0.
-The ``--no-binary`` option value changed in 21.2.0 due to the outsourcing of the binary bindings.
-
-
-Override Automatic SSE2 Detection
---------------------------------
-
-Usually the build process tries to guess whether or not it should use SSE2_-optimized code.
-Despite our best efforts, this can go wrong.
-
-Therefore you can use the ``ARGON2_CFFI_USE_SSE2`` environment variable to control the process:
-
- If you set it to ``1``, *argon2-cffi* will build **with** SSE2 support.
- If you set it to ``0``, *argon2-cffi* will build **without** SSE2 support.
- If you set it to anything else, it will be ignored and *argon2-cffi* will try to guess.
-
-Available since version 20.1.0.
-
-
-.. _SSE2: https://en.wikipedia.org/wiki/SSE2
-.. _PyPI: https://pypi.org/project/argon2-cffi-bindings/
-.. _CFFI environment: https://cffi.readthedocs.io/en/latest/installation.html
-.. _`argon2-cffi-bindings`: https://github.com/hynek/argon2-cffi-bindings
--- a/docs/license.rst
+++ b/docs/license.rst
@ -1 +0,0 @@
-.. include:: ../AUTHORS.rst
--- a/docs/parameters.md
+++ b/docs/parameters.md
@ -0,0 +1,54 @@
+# Choosing Parameters
+
+:::{note}
+You can probably just use {class}`argon2.PasswordHasher` with its default values and be fine.
+But it's good to double check using *argon2-cffi*'s {doc}`cli` client, whether its defaults are too slow or too fast for your use case.
+:::
+
+Finding the right parameters for a password hashing algorithm is a daunting task.
+As of September 2021, we have the official Internet standard [RFC 9106] to help us with it.
+
+It comes with two recommendations in [section 4](https://www.rfc-editor.org/rfc/rfc9106.html#section-4), that (as of *argon2-cffi* 21.2.0) you can load directly from the {mod}`argon2.profiles` module: {data}`argon2.profiles.RFC_9106_HIGH_MEMORY` (called "FIRST RECOMMENDED") and {data}`argon2.profiles.RFC_9106_LOW_MEMORY` ("SECOND RECOMMENDED") into {meth}`argon2.PasswordHasher.from_parameters()`.
+
+Please use the {doc}`cli` interface together with its `--profile` argument to see if they work for you.
+
+---
+
+If you need finer tuning, the current recommended best practice is as follow:
+
+1. Choose whether you want Argon2i, Argon2d, or Argon2id (`type`).
+   If you don't know what that means, choose Argon2id ({attr}`argon2.low_level.Type.ID`).
+
+2. Figure out how many threads can be used on each call to Argon2 (`parallelism`, called "lanes" in the RFC).
+   They recommend 4 threads.
+
+3. Figure out how much memory each call can afford (`memory_cost`).
+   The APIs use [Kibibytes] (1024 bytes) as base unit.
+
+4. Select the salt length.
+   16 bytes is sufficient for all applications, but can be reduced to 8 bytes in the case of space constraints.
+
+5. Choose a hash length (`hash_len`, called "tag length" in the documentation).
+   16 bytes is sufficient for password verification.
+
+6. Figure out how long each call can take.
+   One [recommendation](https://web.archive.org/web/20160304024620/https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/) for concurrent user logins is to keep it under 0.5 ms.
+   The RFC used to recommend under 500 ms.
+   The truth is somewhere between those two values: more is more secure, less is a better user experience.
+   *argon2-cffi*'s current defaults land with ~50ms somewhere in the middle, but the actual time depends on your hardware.
+
+   Please note though, that even a verification time of 1 second won't protect you against bad passwords from the "top 10,000 passwords" lists that you can find online.
+
+7. Measure the time for hashing using your chosen parameters.
+   Start with `time_cost=1` and measure the time it takes.
+   Raise `time_cost` until it is within your accounted time.
+   If `time_cost=1` takes too long, lower `memory_cost`.
+
+*argon2-cffi*'s {doc}`cli` will help you with this process.
+
+:::{note}
+Alternatively, you can also refer to the [OWASP cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id).
+:::
+
+[kibibytes]: https://en.wikipedia.org/wiki/Kibibyte
+[rfc 9106]: https://www.rfc-editor.org/rfc/rfc9106.html
--- a/docs/parameters.rst
+++ b/docs/parameters.rst
@ -1,51 +0,0 @@
-Choosing Parameters
-===================
-
-.. note::
-
-  You can probably just use :class:`argon2.PasswordHasher` with its default values and be fine.
-  But it's good to double check using *argon2-cffi*'s :doc:`cli` client, whether its defaults are too slow or too fast for your use case.
-
-Finding the right parameters for a password hashing algorithm is a daunting task.
-As of September 2021, we have the official Internet standard `RFC 9106`_ to help use with it.
-
-It comes with two recommendations in `section 4 <https://www.rfc-editor.org/rfc/rfc9106.html#section-4>`_, that (as of *argon2-cffi* 21.2.0) you can load directly from the :mod:`argon2.profiles` module: :data:`argon2.profiles.RFC_9106_HIGH_MEMORY` (called "FIRST RECOMMENDED") and :data:`argon2.profiles.RFC_9106_LOW_MEMORY` ("SECOND RECOMMENDED") into :meth:`argon2.PasswordHasher.from_parameters()`.
-
-Please use the :doc:`cli` interface together with its `\-\-profile` argument to see if they work for you.
-
----
-
-If you need finer tuning, the current recommended best practice is as follow:
-
-#. Choose whether you want Argon2i, Argon2d, or Argon2id (``type``).
-   If you don't know what that means, choose Argon2id (:attr:`argon2.Type.ID`).
-#. Figure out how many threads can be used on each call to *Argon2* (``parallelism``, called "lanes" in the RFC).
-   They recommend 4 threads.
-#. Figure out how much memory each call can afford (``memory_cost``).
-   The APIs use Kibibytes_ (1024 bytes) as base unit.
-#. Select the salt length.
-   16 bytes is sufficient for all applications, but can be reduced to 8 bytes in the case of space constraints.
-#. Choose a hash length (``hash_len``, called "tag length" in the documentation).
-   16 bytes is sufficient for password verification.
-#. Figure out how long each call can take.
-   One `recommendation <https://web.archive.org/web/20160304024620/https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/>`_ for concurrent user logins is to keep it under 0.5 ms.
-   The RFC used to recommend under 500 ms.
-   The truth is somewhere between those two values: more is more secure, less is a better user experience.
-   *argon2-cffi*'s current defaults land with ~50ms somewhere in the middle, but the actual time depends on your hardware.
-
-   Please note though, that even a verification time of 1 second won't protect you against bad passwords from the "top 10,000 passwords" lists that you can find online.
-#. Measure the time for hashing using your chosen parameters.
-   Start with ``time_cost=1`` and measure the time it takes.
-   Raise ``time_cost`` until it is within your accounted time.
-   If ``time_cost=1`` takes too long, lower ``memory_cost``.
-
-*argon2-cffi*'s :doc:`cli` will help you with this process.
-
-
-.. note::
-
-   Alternatively, you can also refer to the `OWASP cheatsheet <https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id>`_.
-
-
-.. _`RFC 9106`: https://www.rfc-editor.org/rfc/rfc9106.html
-.. _kibibytes: https://en.wikipedia.org/wiki/Kibibyte
--- a/mypy.ini
+++ b/mypy.ini
@ -1,28 +0,0 @@
-[mypy]
-# show error messages from unrelated files
-follow_imports = normal
-
-# suppress errors about unsatisfied imports
-ignore_missing_imports = True
-
-# be strict
-check_untyped_defs = True
-disallow_any_generics = True
-disallow_incomplete_defs = True
-disallow_untyped_calls = True
-disallow_untyped_defs = True
-no_implicit_optional = True
-strict_optional = True
-warn_no_return = True
-warn_redundant_casts = True
-warn_unreachable = True
-warn_unused_ignores = True
-
-# sometimes redefinition is just fine
-allow_redefinition = True
-
-[mypy-tests.*]
-ignore_errors = True
-
-[mypy-conftest]
-ignore_errors = True
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,109 +1,109 @@
 # SPDX-License-Identifier: MIT

 [build-system]
-requires = ["flit_core >=3.4,<4"]
-build-backend = "flit_core.buildapi"
+requires = ["hatchling", "hatch-vcs", "hatch-fancy-pypi-readme"]
+build-backend = "hatchling.build"
+
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/argon2"]
+

 [project]
 name = "argon2-cffi"
-authors = [{name = "Hynek Schlawack", email = "hs@ox.cx"}]
-dynamic = ["version", "description"]
-requires-python = ">=3.6"
-dependencies = [
-    "argon2-cffi-bindings",
-    "dataclasses; python_version < '3.7'",
-    "typing-extensions; python_version < '3.8'",  # c.f. _typing.py module
-]
-license = { file = "LICENSE" }
-readme = "README.rst"
+description = "Argon2 for Python"
+authors = [{ name = "Hynek Schlawack", email = "hs@ox.cx" }]
+dynamic = ["version", "readme"]
+requires-python = ">=3.9"
+license = "MIT"
+license-files = ["LICENSE"]
 keywords = ["password", "hash", "hashing", "security"]
 classifiers = [
    "Development Status :: 5 - Production/Stable",
-    "Intended Audience :: Developers",
-    "License :: OSI Approved :: MIT License",
-    "Natural Language :: English",
    "Operating System :: MacOS :: MacOS X",
    "Operating System :: Microsoft :: Windows",
    "Operating System :: POSIX",
-    "Operating System :: Unix",
-    "Programming Language :: Python :: 3",
-    "Programming Language :: Python :: 3.6",
-    "Programming Language :: Python :: 3.7",
-    "Programming Language :: Python :: 3.8",
    "Programming Language :: Python :: 3.9",
    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Programming Language :: Python :: Free Threading",
    "Programming Language :: Python :: Implementation :: CPython",
    "Programming Language :: Python :: Implementation :: PyPy",
-    "Programming Language :: Python",
    "Topic :: Security :: Cryptography",
-    "Topic :: Security",
-    "Topic :: Software Development :: Libraries :: Python Modules",
+    "Typing :: Typed",
 ]
+dependencies = ["argon2-cffi-bindings"]

-[project.urls]
-Changelog = "https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md"
-Documentation = "https://argon2-cffi.readthedocs.io/"
-"Source Code" = "https://github.com/hynek/argon2-cffi"
-Funding = "https://github.com/sponsors/hynek"
-Tidelift = "https://tidelift.com/subscription/pkg/pypi-argon2-cffi?utm_source=pypi-argon2-cffi&utm_medium=pypi"
-Ko-fi = "https://ko-fi.com/the_hynek"
-
-[tool.flit.sdist]
-include = [
-    ".pre-commit-config.yaml",
-    ".readthedocs.yml",
-    "*.ini",
-    "*.rst",
-    "LICENSE.*",
-    "docs",
-    "tests",
-    ".github",
-    "show_off.py",
-]
-exclude = [
-    "docs/_build",
-    "tests/__pycache__",
-    "tests/.mypy_cache",
-]
-
-[project.optional-dependencies]
-tests = ["coverage[toml]>=5.0.2", "hypothesis", "pytest"]
-docs = ["sphinx", "sphinx-notfound-page", "furo"]
-
-# Combine tests and docs and a few more dev tools to a dev environment.
-# Refresh using `tox -e cog`
-
-dev = [
-    "pre-commit",
-    "cogapp",
-    "tomli",
-    # [[[cog
-    # import pathlib, tomli
-    # cfg = tomli.loads(pathlib.Path("pyproject.toml").read_text())
-    # opt = cfg["project"]["optional-dependencies"]
-    # for dep in opt["tests"] + opt["docs"]:
-    #     print(f'"{dep}",')
-    # ]]]
-    "coverage[toml]>=5.0.2",
-    "hypothesis",
-    "pytest",
+[dependency-groups]
+tests = ["hypothesis", "pytest"]
+typing = ["mypy"]
+docs = [
    "sphinx",
    "sphinx-notfound-page",
+    "sphinx-copybutton",
    "furo",
-    # [[[end]]]
+    "myst-parser",
 ]
+dev = [{ include-group = "tests" }, { include-group = "typing" }, "tox>4"]

-[tool.flit.module]
-name = "argon2"
+[project.urls]
+Documentation = "https://argon2-cffi.readthedocs.io/"
+Changelog = "https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md"
+GitHub = "https://github.com/hynek/argon2-cffi"
+Funding = "https://github.com/sponsors/hynek"
+Tidelift = "https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek"
+
+
+[tool.hatch.version]
+source = "vcs"
+raw-options = { local_scheme = "no-local-version" }
+
+
+[tool.hatch.metadata.hooks.fancy-pypi-readme]
+content-type = "text/markdown"
+
+[[tool.hatch.metadata.hooks.fancy-pypi-readme.fragments]]
+text = "# *argon2-cffi*: Argon2 for Python\n\n"
+
+[[tool.hatch.metadata.hooks.fancy-pypi-readme.fragments]]
+path = "README.md"
+start-after = "<!-- begin pypi -->\n"
+end-before = "\n<!-- end pypi -->"
+
+[[tool.hatch.metadata.hooks.fancy-pypi-readme.fragments]]
+text = """
+
+## Release Information
+
+"""
+
+[[tool.hatch.metadata.hooks.fancy-pypi-readme.fragments]]
+path = "CHANGELOG.md"
+start-after = "<!-- changelog follows -->"
+pattern = "\n(###.+?\n)## "
+
+[[tool.hatch.metadata.hooks.fancy-pypi-readme.fragments]]
+text = """
+---
+
+[Full Changelog →](https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md)
+
+
+"""
+
+[[tool.hatch.metadata.hooks.fancy-pypi-readme.fragments]]
+path = "README.md"
+start-at = "## Credits"


 [tool.pytest.ini_options]
-addopts = "-ra --strict-markers --capture=no"
+addopts = ["-ra", "--strict-markers", "--strict-config"]
 xfail_strict = true
 testpaths = "tests"
-filterwarnings = [
-    "once::Warning",
-]
+filterwarnings = ["once::Warning"]


 [tool.coverage.run]
@ -112,33 +112,80 @@ branch = true
 source = ["argon2"]

 [tool.coverage.paths]
-source = ["src", ".tox/*/site-packages"]
+source = ["src", ".tox/py*/**/site-packages"]

 [tool.coverage.report]
 show_missing = true
 skip_covered = true
-exclude_lines = [
-    # a more strict default pragma
-    "\\# pragma: no cover\\b",
-
-    # allow defensive code
-    "^\\s*raise AssertionError\\b",
-    "^\\s*raise NotImplementedError\\b",
-    "^\\s*return NotImplemented\\b",
-    "^\\s*raise$",
-
-    # typing-related code
-    "^if (False|TYPE_CHECKING):",
-    ": \\.\\.\\.(\\s*#.*)?$",
-    "^ +\\.\\.\\.$",
-    "-> ['\"]?NoReturn['\"]?:",
-]
-omit = []


-[tool.black]
+[tool.interrogate]
+verbose = 2
+fail-under = 100
+whitelist-regex = ["test_.*"]
+
+
+[tool.pyright]
+ignore = ["conftest.py", "docs", "tests"]
+disableBytesTypePromotions = true
+
+
+[tool.mypy]
+strict = true
+pretty = true
+
+show_error_codes = true
+enable_error_code = ["ignore-without-code"]
+
+ignore_missing_imports = true
+
+[[tool.mypy.overrides]]
+module = "tests.*"
+ignore_errors = true
+
+
+[tool.ruff]
+src = ["src", "tests", "noxfile.py"]
 line-length = 79

+[tool.ruff.lint]
+select = ["ALL"]
+ignore = [
+    "A001",    # shadowing is fine
+    "A002",    # shadowing is fine
+    "A003",    # shadowing is fine
+    "ANN",     # Mypy is better at this
+    "ARG001",  # unused arguments are normal when implementing interfaces
+    "COM",     # Formatter takes care of our commas
+    "D",       # We prefer our own docstring style.
+    "E501",    # leave line-length enforcement to formatter
+    "ERA001",  # Dead code detection is overly eager.
+    "FBT",     # we have one function that takes one bool; c'mon!
+    "FIX",     # Yes, we want XXX as a marker.
+    "INP001",  # sometimes we want Python files outside of packages
+    "ISC001",  # conflicts with ruff format
+    "PLC0415", # sometimes, imports must live elsewhere
+    "PLR0913", # yes, many arguments, but most have defaults
+    "PLR2004", # numbers are sometimes fine
+    "PLW2901", # re-assigning within loop bodies is fine
+    "RUF001",  # leave my smart characters alone
+    "SLF001",  # private members are accessed by friendly functions
+    "TCH",     # TYPE_CHECKING blocks break autodocs
+    "TD",      # we don't follow other people's todo style
+]

-[tool.isort]
-profile = "attrs"
+[tool.ruff.lint.per-file-ignores]
+"src/argon2/__main__.py" = ["T201"] # need print in CLI
+"tests/*" = [
+    "ARG",    # stubs don't care about arguments
+    "S101",   # assert
+    "SIM300", # Yoda rocks in asserts
+    "PT005",  # we always add underscores and explicit name
+    "PT011",  # broad is fine
+    "TRY002", # stock exceptions are fine in tests
+    "EM101",  # no need for exception msg hygiene in tests
+]
+
+[tool.ruff.lint.isort]
+lines-between-types = 1
+lines-after-imports = 2
--- a/src/argon2/init.py
+++ b/src/argon2/init.py
@ -1,7 +1,7 @@
 # SPDX-License-Identifier: MIT

 """
-The secure Argon2 password hashing algorithm.
+Argon2 for Python
 """

 from . import exceptions, low_level, profiles
@ -18,18 +18,11 @@ from ._utils import Parameters, extract_parameters
 from .low_level import Type


-__version__ = "21.3.0"
-
 __title__ = "argon2-cffi"
-__description__ = (__doc__ or "").strip()
-__url__ = "https://argon2-cffi.readthedocs.io/"
-__uri__ = __url__

 __author__ = "Hynek Schlawack"
-__email__ = "hs@ox.cx"
-
-__license__ = "MIT"
 __copyright__ = "Copyright (c) 2015 " + __author__
+__license__ = "MIT"


 __all__ = [
@ -49,3 +42,38 @@ __all__ = [
    "profiles",
    "verify_password",
 ]
+
+
+def __getattr__(name: str) -> str:
+    dunder_to_metadata = {
+        "__version__": "version",
+        "__description__": "summary",
+        "__uri__": "",
+        "__url__": "",
+        "__email__": "",
+    }
+    if name not in dunder_to_metadata:
+        msg = f"module {__name__} has no attribute {name}"
+        raise AttributeError(msg)
+
+    import warnings
+
+    from importlib.metadata import metadata
+
+    warnings.warn(
+        f"Accessing argon2.{name} is deprecated and will be "
+        "removed in a future release. Use importlib.metadata directly "
+        "to query for argon2-cffi's packaging metadata.",
+        DeprecationWarning,
+        stacklevel=2,
+    )
+
+    meta = metadata("argon2-cffi")
+
+    if name in ("__uri__", "__url__"):
+        return meta["Project-URL"].split(" ", 1)[-1]
+
+    if name == "__email__":
+        return meta["Author-email"].split("<", 1)[1].rstrip(">")
+
+    return meta[dunder_to_metadata[name]]
--- a/src/argon2/main.py
+++ b/src/argon2/main.py
@ -1,11 +1,11 @@
 # SPDX-License-Identifier: MIT

+from __future__ import annotations
+
 import argparse
 import sys
 import timeit

-from typing import List
-
 from . import (
    DEFAULT_HASH_LENGTH,
    DEFAULT_MEMORY_COST,
@ -16,8 +16,11 @@ from . import (
 )


-def main(argv: List[str]) -> None:
-    parser = argparse.ArgumentParser(description="Benchmark Argon2.")
+def main(argv: list[str]) -> None:
+    parser = argparse.ArgumentParser(
+        description="Benchmark Argon2.",
+        formatter_class=argparse.ArgumentDefaultsHelpFormatter,
+    )
    parser.add_argument(
        "-n", type=int, default=100, help="Number of iterations to measure."
    )
@ -36,7 +39,7 @@ def main(argv: List[str]) -> None:
    parser.add_argument(
        "--profile",
        type=str,
-        help="A profile from `argon2.profiles. Takes precendence.",
+        help="A profile from `argon2.profiles. Takes precedence.",
        default=None,
    )

@ -56,38 +59,29 @@ def main(argv: List[str]) -> None:
        )
    hash = ph.hash(password)

-    params = {
-        "time_cost": (ph.time_cost, "iterations"),
-        "memory_cost": (ph.memory_cost, "KiB"),
-        "parallelism": (ph.parallelism, "threads"),
-        "hash_len": (ph.hash_len, "bytes"),
-    }
+    print(f"Running Argon2id {args.n} times with:")

-    print("Running Argon2id %d times with:" % (args.n,))
-
-    for k, v in sorted(params.items()):
-        print("%s: %d %s" % (k, v[0], v[1]))
+    for name, value, units in [
+        ("hash_len", ph.hash_len, "bytes"),
+        ("memory_cost", ph.memory_cost, "KiB"),
+        ("parallelism", ph.parallelism, "threads"),
+        ("time_cost", ph.time_cost, "iterations"),
+    ]:
+        print(f"{name}: {value} {units}")

    print("\nMeasuring...")
    duration = timeit.timeit(
-        "ph.verify({hash!r}, {password!r})".format(
-            hash=hash, password=password
-        ),
-        setup="""\
-from argon2 import PasswordHasher, Type
+        f"ph.verify({hash!r}, {password!r})",
+        setup=f"""\
+from argon2 import PasswordHasher

 ph = PasswordHasher(
-    time_cost={time_cost!r},
-    memory_cost={memory_cost!r},
-    parallelism={parallelism!r},
-    hash_len={hash_len!r},
+    time_cost={args.t!r},
+    memory_cost={args.m!r},
+    parallelism={args.p!r},
+    hash_len={args.l!r},
 )
-gc.enable()""".format(
-            time_cost=args.t,
-            memory_cost=args.m,
-            parallelism=args.p,
-            hash_len=args.l,
-        ),
+gc.enable()""",
        number=args.n,
    )
    print(f"\n{duration / args.n * 1000:.1f}ms per password verification")
--- a/src/argon2/_legacy.py
+++ b/src/argon2/_legacy.py
@ -4,9 +4,12 @@
 Legacy mid-level functions.
 """

-import os
+from __future__ import annotations

-from typing import Optional
+import os
+import warnings
+
+from typing import Literal

 from ._password_hasher import (
    DEFAULT_HASH_LENGTH,
@ -15,13 +18,15 @@ from ._password_hasher import (
    DEFAULT_RANDOM_SALT_LENGTH,
    DEFAULT_TIME_COST,
 )
-from ._typing import Literal
 from .low_level import Type, hash_secret, hash_secret_raw, verify_secret


+_INSTEAD = " is deprecated, use argon2.PasswordHasher instead"
+
+
 def hash_password(
    password: bytes,
-    salt: Optional[bytes] = None,
+    salt: bytes | None = None,
    time_cost: int = DEFAULT_TIME_COST,
    memory_cost: int = DEFAULT_MEMORY_COST,
    parallelism: int = DEFAULT_PARALLELISM,
@ -29,11 +34,15 @@ def hash_password(
    type: Type = Type.I,
 ) -> bytes:
    """
-    Legacy alias for :func:`hash_secret` with default parameters.
+    Legacy alias for :func:`argon2.low_level.hash_secret` with default
+    parameters.

    .. deprecated:: 16.0.0
        Use :class:`argon2.PasswordHasher` for passwords.
    """
+    warnings.warn(
+        "argon2.hash_password" + _INSTEAD, DeprecationWarning, stacklevel=2
+    )
    if salt is None:
        salt = os.urandom(DEFAULT_RANDOM_SALT_LENGTH)
    return hash_secret(
@ -43,7 +52,7 @@ def hash_password(

 def hash_password_raw(
    password: bytes,
-    salt: Optional[bytes] = None,
+    salt: bytes | None = None,
    time_cost: int = DEFAULT_TIME_COST,
    memory_cost: int = DEFAULT_MEMORY_COST,
    parallelism: int = DEFAULT_PARALLELISM,
@ -51,11 +60,15 @@ def hash_password_raw(
    type: Type = Type.I,
 ) -> bytes:
    """
-    Legacy alias for :func:`hash_secret_raw` with default parameters.
+    Legacy alias for :func:`argon2.low_level.hash_secret_raw` with default
+    parameters.

    .. deprecated:: 16.0.0
        Use :class:`argon2.PasswordHasher` for passwords.
    """
+    warnings.warn(
+        "argon2.hash_password_raw" + _INSTEAD, DeprecationWarning, stacklevel=2
+    )
    if salt is None:
        salt = os.urandom(DEFAULT_RANDOM_SALT_LENGTH)
    return hash_secret_raw(
@ -67,9 +80,13 @@ def verify_password(
    hash: bytes, password: bytes, type: Type = Type.I
 ) -> Literal[True]:
    """
-    Legacy alias for :func:`verify_secret` with default parameters.
+    Legacy alias for :func:`argon2.low_level.verify_secret` with default
+    parameters.

    .. deprecated:: 16.0.0
        Use :class:`argon2.PasswordHasher` for passwords.
    """
+    warnings.warn(
+        "argon2.verify_password" + _INSTEAD, DeprecationWarning, stacklevel=2
+    )
    return verify_secret(hash, password, type)
--- a/src/argon2/_password_hasher.py
+++ b/src/argon2/_password_hasher.py
@ -1,24 +1,32 @@
 # SPDX-License-Identifier: MIT

+from __future__ import annotations
+
 import os

-from typing import Union
+from typing import ClassVar, Literal

-from ._typing import Literal
-from ._utils import Parameters, _check_types, extract_parameters
-from .exceptions import InvalidHash
+from ._utils import (
+    Parameters,
+    _check_types,
+    extract_parameters,
+    validate_params_for_platform,
+)
+from .exceptions import InvalidHashError
 from .low_level import Type, hash_secret, verify_secret
-from .profiles import RFC_9106_LOW_MEMORY
+from .profiles import get_default_parameters


-DEFAULT_RANDOM_SALT_LENGTH = RFC_9106_LOW_MEMORY.salt_len
-DEFAULT_HASH_LENGTH = RFC_9106_LOW_MEMORY.hash_len
-DEFAULT_TIME_COST = RFC_9106_LOW_MEMORY.time_cost
-DEFAULT_MEMORY_COST = RFC_9106_LOW_MEMORY.memory_cost
-DEFAULT_PARALLELISM = RFC_9106_LOW_MEMORY.parallelism
+default_params = get_default_parameters()
+
+DEFAULT_RANDOM_SALT_LENGTH = default_params.salt_len
+DEFAULT_HASH_LENGTH = default_params.hash_len
+DEFAULT_TIME_COST = default_params.time_cost
+DEFAULT_MEMORY_COST = default_params.memory_cost
+DEFAULT_PARALLELISM = default_params.parallelism


-def _ensure_bytes(s: Union[bytes, str], encoding: str) -> bytes:
+def _ensure_bytes(s: bytes | str, encoding: str) -> bytes:
    """
    Ensure *s* is a bytes string.  Encode using *encoding* if it isn't.
    """
@ -31,27 +39,36 @@ class PasswordHasher:
    r"""
    High level class to hash passwords with sensible defaults.

-    Uses Argon2\ **id** by default and always uses a random salt_ for hashing.
-    But it can verify any type of *Argon2* as long as the hash is correctly
-    encoded.
+    Uses Argon2\ **id** by default and uses a random salt_ for hashing. But it
+    can verify any type of Argon2 as long as the hash is correctly encoded.

    The reason for this being a class is both for convenience to carry
    parameters and to verify the parameters only *once*.  Any unnecessary
-    slowdown when hashing is a tangible advantage for a brute force attacker.
+    slowdown when hashing is a tangible advantage for a brute-force attacker.

-    :param int time_cost: Defines the amount of computation realized and
-        therefore the execution time, given in number of iterations.
-    :param int memory_cost: Defines the memory usage, given in kibibytes_.
-    :param int parallelism: Defines the number of parallel threads (*changes*
-        the resulting hash value).
-    :param int hash_len: Length of the hash in bytes.
-    :param int salt_len: Length of random salt to be generated for each
-        password.
-    :param str encoding: The *Argon2* C library expects bytes.  So if
-        :meth:`hash` or :meth:`verify` are passed a ``str``, it will be
-        encoded using this encoding.
-    :param Type type: *Argon2* type to use.  Only change for interoperability
-        with legacy systems.
+    Args:
+        time_cost:
+            Defines the amount of computation realized and therefore the
+            execution time, given in number of iterations.
+
+        memory_cost: Defines the memory usage, given in kibibytes_.
+
+        parallelism:
+            Defines the number of parallel threads (*changes* the resulting
+            hash value).
+
+        hash_len: Length of the hash in bytes.
+
+        salt_len: Length of random salt to be generated for each password.
+
+        encoding:
+            The Argon2 C library expects bytes.  So if :meth:`hash` or
+            :meth:`verify` are passed a ``str``, it will be encoded using this
+            encoding.
+
+        type:
+            Argon2 type to use.  Only change for interoperability with legacy
+            systems.

    .. versionadded:: 16.0.0
    .. versionchanged:: 18.2.0
@ -60,7 +77,7 @@ class PasswordHasher:
    .. versionchanged:: 18.2.0
       Changed default *memory_cost* to 100 MiB and default *parallelism* to 8.
    .. versionchanged:: 18.2.0 ``verify`` now will determine the type of hash.
-    .. versionchanged:: 18.3.0 The *Argon2* type is configurable now.
+    .. versionchanged:: 18.3.0 The Argon2 type is configurable now.
    .. versionadded:: 21.2.0 :meth:`from_parameters`
    .. versionchanged:: 21.2.0
       Changed defaults to :data:`argon2.profiles.RFC_9106_LOW_MEMORY`.
@ -68,6 +85,7 @@ class PasswordHasher:
    .. _salt: https://en.wikipedia.org/wiki/Salt_(cryptography)
    .. _kibibytes: https://en.wikipedia.org/wiki/Binary_prefix#kibi
    """
+
    __slots__ = ["_parameters", "encoding"]

    _parameters: Parameters
@ -95,8 +113,7 @@ class PasswordHasher:
        if e:
            raise TypeError(e)

-        # Cache a Parameters object for check_needs_rehash.
-        self._parameters = Parameters(
+        params = Parameters(
            type=type,
            version=19,
            salt_len=salt_len,
@ -105,19 +122,32 @@ class PasswordHasher:
            memory_cost=memory_cost,
            parallelism=parallelism,
        )
+
+        validate_params_for_platform(params)
+
+        # Cache a Parameters object for check_needs_rehash.
+        self._parameters = params
        self.encoding = encoding

    @classmethod
-    def from_parameters(cls, params: Parameters) -> "PasswordHasher":
+    def from_parameters(cls, params: Parameters) -> PasswordHasher:
        """
        Construct a `PasswordHasher` from *params*.

+        Returns:
+            A `PasswordHasher` instance with the parameters from *params*.
+
        .. versionadded:: 21.2.0
        """
-        ph = cls()
-        ph._parameters = params

-        return ph
+        return cls(
+            time_cost=params.time_cost,
+            memory_cost=params.memory_cost,
+            parallelism=params.parallelism,
+            hash_len=params.hash_len,
+            salt_len=params.salt_len,
+            type=params.type,
+        )

    @property
    def time_cost(self) -> int:
@ -143,20 +173,32 @@ class PasswordHasher:
    def type(self) -> Type:
        return self._parameters.type

-    def hash(self, password: Union[str, bytes]) -> str:
+    def hash(self, password: str | bytes, *, salt: bytes | None = None) -> str:
        """
        Hash *password* and return an encoded hash.

-        :param password: Password to hash.
-        :type password: ``bytes`` or ``str``
+        Args:
+            password: Password to hash.

-        :raises argon2.exceptions.HashingError: If hashing fails.
+            salt:
+                If None, a random salt is securely created.

-        :rtype: str
+                .. danger::
+
+                    You should **not** pass a salt unless you really know what
+                    you are doing.
+
+        Raises:
+            argon2.exceptions.HashingError: If hashing fails.
+
+        Returns:
+            Hashed *password*.
+
+        .. versionadded:: 23.1.0 *salt* parameter
        """
        return hash_secret(
            secret=_ensure_bytes(password, self.encoding),
-            salt=os.urandom(self.salt_len),
+            salt=salt or os.urandom(self.salt_len),
            time_cost=self.time_cost,
            memory_cost=self.memory_cost,
            parallelism=self.parallelism,
@ -164,14 +206,14 @@ class PasswordHasher:
            type=self.type,
        ).decode("ascii")

-    _header_to_type = {
+    _header_to_type: ClassVar[dict[bytes, Type]] = {
        b"$argon2i$": Type.I,
        b"$argon2d$": Type.D,
        b"$argon2id": Type.ID,
    }

    def verify(
-        self, hash: Union[str, bytes], password: Union[str, bytes]
+        self, hash: str | bytes, password: str | bytes
    ) -> Literal[True]:
        """
        Verify that *password* matches *hash*.
@ -182,23 +224,25 @@ class PasswordHasher:
            other parsing than the determination of the hash type is done by
            *argon2-cffi*.

-        :param hash: An encoded hash as returned from
-            :meth:`PasswordHasher.hash`.
-        :type hash: ``bytes`` or ``str``
+        Args:
+            hash: An encoded hash as returned from :meth:`PasswordHasher.hash`.

-        :param password: The password to verify.
-        :type password: ``bytes`` or ``str``
+            password: The password to verify.

-        :raises argon2.exceptions.VerifyMismatchError: If verification fails
-            because *hash* is not valid for *password*.
-        :raises argon2.exceptions.VerificationError: If verification fails for
-            other reasons.
-        :raises argon2.exceptions.InvalidHash: If *hash* is so clearly
-            invalid, that it couldn't be passed to *Argon2*.
+        Raises:
+            argon2.exceptions.VerifyMismatchError:
+                If verification fails because *hash* is not valid for
+                *password*.

-        :return: ``True`` on success, raise
-            :exc:`~argon2.exceptions.VerificationError` otherwise.
-        :rtype: bool
+            argon2.exceptions.VerificationError:
+                If verification fails for other reasons.
+
+            argon2.exceptions.InvalidHashError:
+                If *hash* is so clearly invalid, that it couldn't be passed to
+                Argon2.
+
+        Returns:
+            ``True`` on success, otherwise an exception is raised.

        .. versionchanged:: 16.1.0
            Raise :exc:`~argon2.exceptions.VerifyMismatchError` on mismatches
@ -208,18 +252,18 @@ class PasswordHasher:
        hash = _ensure_bytes(hash, "ascii")
        try:
            hash_type = self._header_to_type[hash[:9]]
-        except (IndexError, KeyError, LookupError):
-            raise InvalidHash()
+        except LookupError:
+            raise InvalidHashError from None

        return verify_secret(
            hash, _ensure_bytes(password, self.encoding), hash_type
        )

-    def check_needs_rehash(self, hash: str) -> bool:
+    def check_needs_rehash(self, hash: str | bytes) -> bool:
        """
        Check whether *hash* was created using the instance's parameters.

-        Whenever your *Argon2* parameters -- or *argon2-cffi*'s defaults! --
+        Whenever your Argon2 parameters -- or *argon2-cffi*'s defaults! --
        change, you should rehash your passwords at the next opportunity.  The
        common approach is to do that whenever a user logs in, since that
        should be the only time when you have access to the cleartext
@ -228,8 +272,16 @@ class PasswordHasher:
        Therefore it's best practice to check -- and if necessary rehash --
        passwords after each successful authentication.

-        :rtype: bool
+        Args:
+            hash: An encoded Argon2 password hash.
+
+        Returns:
+            Whether *hash* was created using the instance's parameters.

        .. versionadded:: 18.2.0
+        .. versionchanged:: 24.1.0 Accepts bytes for *hash*.
        """
+        if isinstance(hash, bytes):
+            hash = hash.decode("ascii")
+
        return self._parameters != extract_parameters(hash)
--- a/src/argon2/_typing.py
+++ b/src/argon2/_typing.py
@ -1,13 +0,0 @@
-# SPDX-License-Identifier: MIT
-
-import sys
-
-
-# try/except ImportError does NOT work.
-# c.f. https://github.com/python/mypy/issues/8520
-if sys.version_info >= (3, 8):
-    from typing import Literal
-else:
-    from typing_extensions import Literal
-
-__all__ = ["Literal"]
--- a/src/argon2/_utils.py
+++ b/src/argon2/_utils.py
@ -1,16 +1,20 @@
 # SPDX-License-Identifier: MIT

-from dataclasses import dataclass
-from typing import Any, Optional
+from __future__ import annotations

-from .exceptions import InvalidHash
+import platform
+import sys
+
+from dataclasses import dataclass
+
+from .exceptions import InvalidHashError, UnsupportedParametersError
 from .low_level import Type


 NoneType = type(None)


-def _check_types(**kw: Any) -> Optional[str]:
+def _check_types(**kw: tuple[object, type | tuple[type, ...]]) -> str | None:
    """
    Check each ``name: (value, types)`` in *kw*.

@ -20,13 +24,11 @@ def _check_types(**kw: Any) -> Optional[str]:
    for name, (value, types) in kw.items():
        if not isinstance(value, types):
            if isinstance(types, tuple):
-                types = ", or ".join(t.__name__ for t in types)
+                type_names = ", or ".join(t.__name__ for t in types)
            else:
-                types = types.__name__
+                type_names = types.__name__
            errors.append(
-                "'{name}' must be a {type} (got {actual})".format(
-                    name=name, type=types, actual=type(value).__name__
-                )
+                f"'{name}' must be a {type_names} (got {type(value).__name__})"
            )

    if errors != []:
@ -35,11 +37,18 @@ def _check_types(**kw: Any) -> Optional[str]:
    return None


-def _decoded_str_len(l: int) -> int:
+def _is_wasm() -> bool:
+    return sys.platform == "emscripten" or platform.machine() in [
+        "wasm32",
+        "wasm64",
+    ]
+
+
+def _decoded_str_len(length: int) -> int:
    """
    Compute how long an encoded string of length *l* becomes.
    """
-    rem = l % 4
+    rem = length % 4

    if rem == 3:
        last_group_len = 2
@ -48,7 +57,7 @@ def _decoded_str_len(l: int) -> int:
    else:
        last_group_len = 0

-    return l // 4 * 3 + last_group_len
+    return length // 4 * 3 + last_group_len


@dataclass
@ -58,13 +67,20 @@ class Parameters:

    See :doc:`parameters` on how to pick them.

-    :ivar Type type: Hash type.
-    :ivar int version: Argon2 version.
-    :ivar int salt_len: Length of the salt in bytes.
-    :ivar int hash_len: Length of the hash in bytes.
-    :ivar int time_cost: Time cost in iterations.
-    :ivar int memory_cost: Memory cost in kibibytes.
-    :ivar int parallelism: Number of parallel threads.
+    Attributes:
+        type: Hash type.
+
+        version: Argon2 version.
+
+        salt_len: Length of the salt in bytes.
+
+        hash_len: Length of the hash in bytes.
+
+        time_cost: Time cost in iterations.
+
+        memory_cost: Memory cost in kibibytes.
+
+        parallelism: Number of parallel threads.

    .. versionadded:: 18.2.0
    """
@ -77,15 +93,15 @@ class Parameters:
    memory_cost: int
    parallelism: int

-    __slots__ = [
-        "type",
-        "version",
-        "salt_len",
+    __slots__ = (
        "hash_len",
-        "time_cost",
        "memory_cost",
        "parallelism",
-    ]
+        "salt_len",
+        "time_cost",
+        "type",
+        "version",
+    )


 _NAME_TO_TYPE = {"argon2id": Type.ID, "argon2i": Type.I, "argon2d": Type.D}
@ -96,9 +112,11 @@ def extract_parameters(hash: str) -> Parameters:
    """
    Extract parameters from an encoded *hash*.

-    :param str params: An encoded Argon2 hash string.
+    Args:
+        hash: An encoded Argon2 hash string.

-    :rtype: Parameters
+    Returns:
+        The parameters used to create the hash.

    .. versionadded:: 18.2.0
    """
@ -109,10 +127,10 @@ def extract_parameters(hash: str) -> Parameters:
        parts.insert(2, "v=18")

    if len(parts) != 6:
-        raise InvalidHash
+        raise InvalidHashError

-    if parts[0] != "":
-        raise InvalidHash
+    if parts[0]:
+        raise InvalidHashError

    try:
        type = _NAME_TO_TYPE[parts[1]]
@ -120,14 +138,14 @@ def extract_parameters(hash: str) -> Parameters:
        kvs = {
            k: int(v)
            for k, v in (
-                s.split("=") for s in [parts[2]] + parts[3].split(",")
+                s.split("=") for s in [parts[2], *parts[3].split(",")]
            )
        }
-    except Exception:
-        raise InvalidHash
+    except Exception:  # noqa: BLE001
+        raise InvalidHashError from None

    if sorted(kvs.keys()) != _REQUIRED_KEYS:
-        raise InvalidHash
+        raise InvalidHashError

    return Parameters(
        type=type,
@ -138,3 +156,18 @@ def extract_parameters(hash: str) -> Parameters:
        memory_cost=kvs["m"],
        parallelism=kvs["p"],
    )
+
+
+def validate_params_for_platform(params: Parameters) -> None:
+    """
+    Validate *params* against current platform.
+
+    Args:
+        params: Parameters to be validated
+
+    Returns:
+       None
+    """
+    if _is_wasm() and params.parallelism != 1:
+        msg = "In WebAssembly environments `parallelism` must be 1."
+        raise UnsupportedParametersError(msg)
--- a/src/argon2/exceptions.py
+++ b/src/argon2/exceptions.py
@ -1,5 +1,7 @@
 # SPDX-License-Identifier: MIT

+from __future__ import annotations
+

 class Argon2Error(Exception):
    """
@ -35,9 +37,30 @@ class HashingError(Argon2Error):
    """


-class InvalidHash(ValueError):
+class InvalidHashError(ValueError):
    """
    Raised if the hash is invalid before passing it to Argon2.

-    .. versionadded:: 18.2.0
+    .. versionadded:: 23.1.0
+       As a replacement for :exc:`argon2.exceptions.InvalidHash`.
    """
+
+
+class UnsupportedParametersError(ValueError):
+    """
+    Raised if the current platform does not support the parameters.
+
+    For example, in WebAssembly parallelism must be set to 1.
+
+    .. versionadded:: 25.1.0
+    """
+
+
+InvalidHash = InvalidHashError
+"""
+Deprecated alias for :class:`InvalidHashError`.
+
+.. versionadded:: 18.2.0
+.. deprecated:: 23.1.0
+    Use :exc:`argon2.exceptions.InvalidHashError` instead.
+"""
--- a/src/argon2/low_level.py
+++ b/src/argon2/low_level.py
@ -5,16 +5,17 @@ Low-level functions if you want to build your own higher level abstractions.

 .. warning::
    This is a "Hazardous Materials" module.  You should **ONLY** use it if
-    you're 100% absolutely sure that you know what you’re doing because this
+    you're 100% absolutely sure that you know what you're doing because this
    module is full of land mines, dragons, and dinosaurs with laser guns.
 """

+from __future__ import annotations
+
 from enum import Enum
-from typing import Any
+from typing import Any, Literal

 from _argon2_cffi_bindings import ffi, lib

-from ._typing import Literal
 from .exceptions import HashingError, VerificationError, VerifyMismatchError


@ -44,28 +45,8 @@ class Type(Enum):
    """

    D = lib.Argon2_d
-    r"""
-    Argon2\ **d** is faster and uses data-depending memory access, which makes
-    it less suitable for hashing secrets and more suitable for cryptocurrencies
-    and applications with no threats from side-channel timing attacks.
-    """
-    I = lib.Argon2_i
-    r"""
-    Argon2\ **i** uses data-independent memory access.  Argon2i is slower as
-    it makes more passes over the memory to protect from tradeoff attacks.
-    """
+    I = lib.Argon2_i  # noqa: E741
    ID = lib.Argon2_id
-    r"""
-    Argon2\ **id** is a hybrid of Argon2i and Argon2d, using a combination of
-    data-depending and data-independent memory accesses, which gives some of
-    Argon2i's resistance to side-channel cache timing attacks and much of
-    Argon2d's resistance to GPU cracking attacks.
-
-    That makes it the preferred type for password hashing and password-based
-    key derivation.
-
-    .. versionadded:: 16.3.0
-    """


 def hash_secret(
@ -84,22 +65,27 @@ def hash_secret(
    An encoded hash can be directly passed into :func:`verify_secret` as it
    contains all parameters and the salt.

-    :param bytes secret: Secret to hash.
-    :param bytes salt: A salt_.  Should be random and different for each
-        secret.
-    :param Type type: Which Argon2 variant to use.
-    :param int version: Which Argon2 version to use.
+    Args:
+        secret: Secret to hash.

-    For an explanation of the Argon2 parameters see :class:`PasswordHasher`.
+        salt: A salt_. Should be random and different for each secret.

-    :rtype: bytes
+        type: Which Argon2 variant to use.

-    :raises argon2.exceptions.HashingError: If hashing fails.
+        version: Which Argon2 version to use.
+
+    For an explanation of the Argon2 parameters see
+    :class:`argon2.PasswordHasher`.
+
+    Returns:
+        An encoded Argon2 hash.
+
+    Raises:
+        argon2.exceptions.HashingError: If hashing fails.

    .. versionadded:: 16.0.0

    .. _salt: https://en.wikipedia.org/wiki/Salt_(cryptography)
-    .. _kibibytes: https://en.wikipedia.org/wiki/Binary_prefix#kibi
    """
    size = (
        lib.argon2_encodedlen(
@ -131,7 +117,7 @@ def hash_secret(
    if rv != lib.ARGON2_OK:
        raise HashingError(error_to_str(rv))

-    return ffi.string(buf)
+    return ffi.string(buf)  # type: ignore[no-any-return]


 def hash_secret_raw(
@ -178,20 +164,26 @@ def verify_secret(hash: bytes, secret: bytes, type: Type) -> Literal[True]:
    """
    Verify whether *secret* is correct for *hash* of *type*.

-    :param bytes hash: An encoded Argon2 hash as returned by
-        :func:`hash_secret`.
-    :param bytes secret: The secret to verify whether it matches the one
-        in *hash*.
-    :param Type type: Type for *hash*.
+    Args:
+        hash:
+            An encoded Argon2 hash as returned by :func:`hash_secret`.

-    :raises argon2.exceptions.VerifyMismatchError: If verification fails
-        because *hash* is not valid for *secret* of *type*.
-    :raises argon2.exceptions.VerificationError: If verification fails for
-        other reasons.
+        secret:
+            The secret to verify whether it matches the one in *hash*.

-    :return: ``True`` on success, raise
-        :exc:`~argon2.exceptions.VerificationError` otherwise.
-    :rtype: bool
+        type: Type for *hash*.
+
+    Raises:
+        argon2.exceptions.VerifyMismatchError:
+            If verification fails because *hash* is not valid for *secret* of
+            *type*.
+
+        argon2.exceptions.VerificationError:
+            If verification fails for other reasons.
+
+    Returns:
+        ``True`` on success, raise :exc:`~argon2.exceptions.VerificationError`
+        otherwise.

    .. versionadded:: 16.0.0
    .. versionchanged:: 16.1.0
@ -204,12 +196,14 @@ def verify_secret(hash: bytes, secret: bytes, type: Type) -> Literal[True]:
        len(secret),
        type.value,
    )
+
    if rv == lib.ARGON2_OK:
        return True
-    elif rv == lib.ARGON2_VERIFY_MISMATCH:
+
+    if rv == lib.ARGON2_VERIFY_MISMATCH:
        raise VerifyMismatchError(error_to_str(rv))
-    else:
-        raise VerificationError(error_to_str(rv))
+
+    raise VerificationError(error_to_str(rv))


 def core(context: Any, type: int) -> int:
@ -218,7 +212,7 @@ def core(context: Any, type: int) -> int:

    .. warning::
        This is a strictly advanced function working on raw C data structures.
-        Both *Argon2*'s and *argon2-cffi*'s higher-level bindings do a lot of
+        Both Argon2's and *argon2-cffi*'s higher-level bindings do a lot of
        sanity checks and housekeeping work that *you* are now responsible for
        (e.g. clearing buffers). The structure of the *context* object can,
        has, and will change with *any* release!
@ -226,30 +220,34 @@ def core(context: Any, type: int) -> int:
        Use at your own peril; *argon2-cffi* does *not* use this binding
        itself.

-    :param context: A CFFI *Argon2* context object (i.e. an ``struct
-        Argon2_Context``/``argon2_context``).
-    :param int type: Which *Argon2* variant to use.  You can use the ``value``
-        field of :class:`Type`'s fields.
+    Args:
+        context:
+            A CFFI Argon2 context object (i.e. an ``struct Argon2_Context`` /
+            ``argon2_context``).

-    :rtype: int
-    :return: An *Argon2* error code.  Can be transformed into a string using
+        type:
+            Which Argon2 variant to use.  You can use the ``value`` field of
+            :class:`Type`'s fields.
+
+    Returns:
+        An Argon2 error code.  Can be transformed into a string using
        :func:`error_to_str`.

    .. versionadded:: 16.0.0
    """
-    return lib.argon2_ctx(context, type)
+    return lib.argon2_ctx(context, type)  # type: ignore[no-any-return]


 def error_to_str(error: int) -> str:
    """
    Convert an Argon2 error code into a native string.

-    :param int error: An Argon2 error code as returned by :func:`core`.
+    Args:
+        error: An Argon2 error code as returned by :func:`core`.

-    :rtype: str
+    Returns:
+        A human-readable string describing the error.

    .. versionadded:: 16.0.0
    """
-    msg = ffi.string(lib.argon2_error_message(error))
-    msg = msg.decode("ascii")
-    return msg
+    return ffi.string(lib.argon2_error_message(error)).decode("ascii")  # type: ignore[no-any-return]
--- a/src/argon2/profiles.py
+++ b/src/argon2/profiles.py
@ -2,17 +2,38 @@

 """
 This module offers access to standardized parameters that you can load using
-:meth:`PasswordHasher.from_parameters()`. See the `source code
+:meth:`argon2.PasswordHasher.from_parameters()`. See the `source code
 <https://github.com/hynek/argon2-cffi/blob/main/src/argon2/profiles.py>`_ for
 concrete values and :doc:`parameters` for more information.

 .. versionadded:: 21.2.0
 """

-from ._utils import Parameters
+from __future__ import annotations
+
+import dataclasses
+
+from ._utils import Parameters, _is_wasm
 from .low_level import Type


+def get_default_parameters() -> Parameters:
+    """
+    Create default parameters for current platform.
+
+    Returns:
+        Default, compatible, parameters for current platform.
+
+    .. versionadded:: 25.1.0
+    """
+    params = RFC_9106_LOW_MEMORY
+
+    if _is_wasm():
+        params = dataclasses.replace(params, parallelism=1)
+
+    return params
+
+
 # FIRST RECOMMENDED option per RFC 9106.
 RFC_9106_HIGH_MEMORY = Parameters(
    type=Type.ID,
--- a/tests/test_legacy.py
+++ b/tests/test_legacy.py
@ -32,28 +32,41 @@ class TestHash:
        """
        Calling without arguments works.
        """
-        hash_password(b"secret")
+        with pytest.deprecated_call(
+            match="argon2.hash_password is deprecated"
+        ) as dc:
+            hash_password(b"secret")
+
+        assert dc.pop().filename.endswith("test_legacy.py")

    def test_raw_defaults(self):
        """
        Calling without arguments works.
        """
-        hash_password_raw(b"secret")
+        with pytest.deprecated_call(
+            match="argon2.hash_password_raw is deprecated"
+        ) as dc:
+            hash_password_raw(b"secret")
+
+        assert dc.pop().filename.endswith("test_legacy.py")

    @i_and_d_encoded
    def test_hash_password(self, type, hash):
        """
        Creates the same encoded hash as the Argon2 CLI client.
        """
-        rv = hash_password(
-            TEST_PASSWORD,
-            TEST_SALT,
-            TEST_TIME,
-            TEST_MEMORY,
-            TEST_PARALLELISM,
-            TEST_HASH_LEN,
-            type,
-        )
+        with pytest.deprecated_call(
+            match="argon2.hash_password is deprecated"
+        ):
+            rv = hash_password(
+                TEST_PASSWORD,
+                TEST_SALT,
+                TEST_TIME,
+                TEST_MEMORY,
+                TEST_PARALLELISM,
+                TEST_HASH_LEN,
+                type,
+            )

        assert hash == rv
        assert isinstance(rv, bytes)
@ -63,15 +76,18 @@ class TestHash:
        """
        Creates the same raw hash as the Argon2 CLI client.
        """
-        rv = hash_password_raw(
-            TEST_PASSWORD,
-            TEST_SALT,
-            TEST_TIME,
-            TEST_MEMORY,
-            TEST_PARALLELISM,
-            TEST_HASH_LEN,
-            type,
-        )
+        with pytest.deprecated_call(
+            match="argon2.hash_password_raw is deprecated"
+        ):
+            rv = hash_password_raw(
+                TEST_PASSWORD,
+                TEST_SALT,
+                TEST_TIME,
+                TEST_MEMORY,
+                TEST_PARALLELISM,
+                TEST_HASH_LEN,
+                type,
+            )

        assert hash == rv
        assert isinstance(rv, bytes)
@ -80,35 +96,49 @@ class TestHash:
        """
        Hashing passwords with NUL bytes works as expected.
        """
-        rv = hash_password_raw(b"abc\x00", TEST_SALT)
+        with pytest.deprecated_call(
+            match="argon2.hash_password_raw is deprecated"
+        ):
+            rv = hash_password_raw(b"abc\x00", TEST_SALT)

-        assert rv != hash_password_raw(b"abc", TEST_SALT)
+        with pytest.deprecated_call(
+            match="argon2.hash_password_raw is deprecated"
+        ):
+            assert rv != hash_password_raw(b"abc", TEST_SALT)

    def test_random_salt(self):
        """
        Omitting a salt, creates a random one.
        """
-        rv = hash_password(b"secret")
+        with pytest.deprecated_call(
+            match="argon2.hash_password is deprecated"
+        ):
+            rv = hash_password(b"secret")
        salt = rv.split(b",")[-1].split(b"$")[1]

        assert (
            # -1 for not NUL byte
-            int((DEFAULT_RANDOM_SALT_LENGTH << 2) / 3 + 2) - 1
-            == len(salt)
+            int((DEFAULT_RANDOM_SALT_LENGTH << 2) / 3 + 2) - 1 == len(salt)
        )

    def test_hash_wrong_arg_type(self):
        """
        Passing an argument of wrong type raises TypeError.
        """
-        with pytest.raises(TypeError):
+        with (
+            pytest.deprecated_call(match="argon2.hash_password is deprecated"),
+            pytest.raises(TypeError),
+        ):
            hash_password("oh no, unicode!")

    def test_illegal_argon2_parameter(self):
        """
        Raises HashingError if hashing fails.
        """
-        with pytest.raises(HashingError):
+        with (
+            pytest.deprecated_call(match="argon2.hash_password is deprecated"),
+            pytest.raises(HashingError),
+        ):
            hash_password(TEST_PASSWORD, memory_cost=1)

    @given(st.binary(max_size=128))
@ -116,14 +146,17 @@ class TestHash:
        """
        Hash various passwords as cheaply as possible.
        """
-        hash_password(
-            password,
-            salt=b"12345678",
-            time_cost=1,
-            memory_cost=8,
-            parallelism=1,
-            hash_len=8,
-        )
+        with pytest.deprecated_call(
+            match="argon2.hash_password is deprecated"
+        ):
+            hash_password(
+                password,
+                salt=b"12345678",
+                time_cost=1,
+                memory_cost=8,
+                parallelism=1,
+                hash_len=8,
+            )


 class TestVerify:
@ -132,18 +165,33 @@ class TestVerify:
        """
        Given a valid hash and password and correct type, we succeed.
        """
-        assert True is verify_password(hash, TEST_PASSWORD, type)
+        with pytest.deprecated_call(
+            match="argon2.verify_password is deprecated"
+        ) as dc:
+            assert True is verify_password(hash, TEST_PASSWORD, type)
+
+        assert dc.pop().filename.endswith("test_legacy.py")

    def test_fail_wrong_argon2_type(self):
        """
        Given a valid hash and password and wrong type, we fail.
        """
-        with pytest.raises(VerificationError):
+        with (
+            pytest.deprecated_call(
+                match="argon2.verify_password is deprecated"
+            ),
+            pytest.raises(VerificationError),
+        ):
            verify_password(TEST_HASH_I, TEST_PASSWORD, Type.D)

    def test_wrong_arg_type(self):
        """
        Passing an argument of wrong type raises TypeError.
        """
-        with pytest.raises(TypeError):
+        with (
+            pytest.deprecated_call(
+                match="argon2.verify_password is deprecated"
+            ),
+            pytest.raises(TypeError),
+        ):
            verify_password(TEST_HASH_I, TEST_PASSWORD.decode("ascii"))
--- a/tests/test_low_level.py
+++ b/tests/test_low_level.py
@ -95,11 +95,11 @@ TEST_PARALLELISM = 4
 TEST_HASH_LEN = 32

 i_and_d_encoded = pytest.mark.parametrize(
-    "type,hash",
+    ("type", "hash"),
    [(Type.I, TEST_HASH_I), (Type.D, TEST_HASH_D), (Type.ID, TEST_HASH_ID)],
 )
 i_and_d_raw = pytest.mark.parametrize(
-    "type,hash",
+    ("type", "hash"),
    [(Type.I, TEST_RAW_I), (Type.D, TEST_RAW_D), (Type.ID, TEST_RAW_ID)],
 )

@ -185,13 +185,15 @@ class TestHash:
                Type.I,
            )

-    @both_hash_funcs
-    @given(st.binary(max_size=128))
+    @given(
+        st.sampled_from((hash_secret, hash_secret_raw)),
+        st.binary(max_size=128),
+    )
    def test_hash_fast(self, func, secret):
        """
        Hash various secrets as cheaply as possible.
        """
-        hash_secret(
+        func(
            secret,
            salt=b"12345678",
            time_cost=1,
@ -294,40 +296,37 @@ def test_core():

    ctx = ffi.new(
        "argon2_context *",
-        dict(
-            out=cout,
-            outlen=hash_len,
-            version=ARGON2_VERSION,
-            pwd=cpwd,
-            pwdlen=len(pwd),
-            salt=csalt,
-            saltlen=len(salt),
-            secret=ffi.NULL,
-            secretlen=0,
-            ad=ffi.NULL,
-            adlen=0,
-            t_cost=1,
-            m_cost=8,
-            lanes=1,
-            threads=1,
-            allocate_cbk=ffi.NULL,
-            free_cbk=ffi.NULL,
-            flags=lib.ARGON2_DEFAULT_FLAGS,
-        ),
+        {
+            "out": cout,
+            "outlen": hash_len,
+            "version": ARGON2_VERSION,
+            "pwd": cpwd,
+            "pwdlen": len(pwd),
+            "salt": csalt,
+            "saltlen": len(salt),
+            "secret": ffi.NULL,
+            "secretlen": 0,
+            "ad": ffi.NULL,
+            "adlen": 0,
+            "t_cost": 1,
+            "m_cost": 8,
+            "lanes": 1,
+            "threads": 1,
+            "allocate_cbk": ffi.NULL,
+            "free_cbk": ffi.NULL,
+            "flags": lib.ARGON2_DEFAULT_FLAGS,
+        },
    )

    rv = core(ctx, Type.D.value)

    assert 0 == rv
-    assert (
-        hash_secret_raw(
-            pwd,
-            salt=salt,
-            time_cost=1,
-            memory_cost=8,
-            parallelism=1,
-            hash_len=hash_len,
-            type=Type.D,
-        )
-        == bytes(ffi.buffer(ctx.out, ctx.outlen))
-    )
+    assert hash_secret_raw(
+        pwd,
+        salt=salt,
+        time_cost=1,
+        memory_cost=8,
+        parallelism=1,
+        hash_len=hash_len,
+        type=Type.D,
+    ) == bytes(ffi.buffer(ctx.out, ctx.outlen))
--- a/tests/test_packaging.py
+++ b/tests/test_packaging.py
@ -0,0 +1,50 @@
+# SPDX-License-Identifier: MIT
+
+
+from importlib import metadata
+
+import pytest
+
+import argon2
+
+
+class TestLegacyMetadataHack:
+    def test_version(self):
+        """
+        argon2.__version__ returns the correct version.
+        """
+        with pytest.deprecated_call():
+            assert metadata.version("argon2-cffi") == argon2.__version__
+
+    def test_description(self):
+        """
+        argon2.__description__ returns the correct description.
+        """
+        with pytest.deprecated_call():
+            assert "Argon2 for Python" == argon2.__description__
+
+    def test_uri(self):
+        """
+        argon2.__uri__ returns the correct project URL.
+        """
+        with pytest.deprecated_call():
+            assert "https://argon2-cffi.readthedocs.io/" == argon2.__uri__
+
+        with pytest.deprecated_call():
+            assert "https://argon2-cffi.readthedocs.io/" == argon2.__url__
+
+    def test_email(self):
+        """
+        argon2.__email__ returns Hynek's email address.
+        """
+        with pytest.deprecated_call():
+            assert "hs@ox.cx" == argon2.__email__
+
+    def test_does_not_exist(self):
+        """
+        Asking for unsupported dunders raises an AttributeError.
+        """
+        with pytest.raises(
+            AttributeError, match="module argon2 has no attribute __yolo__"
+        ):
+            argon2.__yolo__  # noqa: B018
--- a/tests/test_password_hasher.py
+++ b/tests/test_password_hasher.py
@ -1,10 +1,22 @@
 # SPDX-License-Identifier: MIT

+import secrets
+import sys
+import threading
+
+from concurrent.futures import ThreadPoolExecutor
+from unittest import mock
+
 import pytest

-from argon2 import PasswordHasher, Type, extract_parameters
+from argon2 import PasswordHasher, Type, extract_parameters, profiles
 from argon2._password_hasher import _ensure_bytes
-from argon2.exceptions import InvalidHash
+from argon2._utils import Parameters
+from argon2.exceptions import (
+    InvalidHash,
+    InvalidHashError,
+    UnsupportedParametersError,
+)


 class TestEnsureBytes:
@ -51,6 +63,18 @@ class TestPasswordHasher:
        assert isinstance(h, str)
        assert h[: len(prefix)] == prefix

+    def test_custom_salt(self):
+        """
+        A custom salt can be specified.
+        """
+        ph = PasswordHasher.from_parameters(profiles.CHEAPEST)
+
+        h = ph.hash(b"password", salt=b"1234567890123456")
+
+        assert h == (
+            "$argon2id$v=19$m=8,t=1,p=1$MTIzNDU2Nzg5MDEyMzQ1Ng$maTa5w"
+        )
+
    @bytes_and_str_password
    def test_verify_agility(self, password):
        """
@ -83,29 +107,46 @@ class TestPasswordHasher:

        assert "'time_cost' must be a int (got str)." == e.value.args[0]

+    def test_verify_invalid_hash_error(self):
+        """
+        If the hash can't be parsed, InvalidHashError is raised.
+        """
+        with pytest.raises(InvalidHashError):
+            PasswordHasher().verify("tiger", "does not matter")
+
    def test_verify_invalid_hash(self):
        """
-        If the hash can't be parsed, InvalidHash is raised.
+        InvalidHashError and the deprecrated InvalidHash are the same.
        """
        with pytest.raises(InvalidHash):
            PasswordHasher().verify("tiger", "does not matter")

-    def test_check_needs_rehash_no(self):
+    @pytest.mark.parametrize("use_bytes", [True, False])
+    def test_check_needs_rehash_no(self, use_bytes):
        """
        Return False if the hash has the correct parameters.
        """
        ph = PasswordHasher(1, 8, 1, 16, 16)

-        assert not ph.check_needs_rehash(ph.hash("foo"))
+        hash = ph.hash("foo")
+        if use_bytes:
+            hash = hash.encode()

-    def test_check_needs_rehash_yes(self):
+        assert not ph.check_needs_rehash(hash)
+
+    @pytest.mark.parametrize("use_bytes", [True, False])
+    def test_check_needs_rehash_yes(self, use_bytes):
        """
        Return True if any of the parameters changes.
        """
        ph = PasswordHasher(1, 8, 1, 16, 16)
        ph_old = PasswordHasher(1, 8, 1, 8, 8)

-        assert ph.check_needs_rehash(ph_old.hash("foo"))
+        hash = ph_old.hash("foo")
+        if use_bytes:
+            hash = hash.encode()
+
+        assert ph.check_needs_rehash(hash)

    def test_type_is_configurable(self):
        """
@ -122,3 +163,74 @@ class TestPasswordHasher:
        assert Type.I is ph.type is ph._parameters.type
        assert Type.I is extract_parameters(ph.hash("foo")).type
        assert ph.check_needs_rehash(default_hash)
+
+    @mock.patch("sys.platform", "emscripten")
+    @pytest.mark.parametrize("machine", ["wasm32", "wasm64"])
+    def test_params_on_wasm(self, machine):
+        """
+        Parameter validation catches invalid parameters on WebAssembly.
+        """
+        with mock.patch("platform.machine", return_value=machine):
+            with pytest.raises(
+                UnsupportedParametersError,
+                match="In WebAssembly environments `parallelism` must be 1",
+            ):
+                PasswordHasher(parallelism=2)
+
+            # last param is parallelism so it should fail
+            params = Parameters(Type.I, 2, 8, 8, 3, 256, 8)
+            with pytest.raises(
+                UnsupportedParametersError,
+                match="In WebAssembly environments `parallelism` must be 1",
+            ):
+                ph = PasswordHasher.from_parameters(params)
+
+            # explicitly correct parameters
+            ph = PasswordHasher(parallelism=1)
+
+            hash = ph.hash("hello")
+
+            assert ph.verify(hash, "hello") is True
+
+            # explicit, but still default parameters
+            default_params = profiles.get_default_parameters()
+            ph = PasswordHasher.from_parameters(default_params)
+
+            hash = ph.hash("hello")
+
+            assert ph.verify(hash, "hello") is True
+
+
+def test_multithreaded_hashing():
+    """
+    Hash passwords in a thread pool and check for thread safety
+    """
+    hasher = PasswordHasher(parallelism=2)
+
+    num_passwords = 100
+
+    passwords = [secrets.token_urlsafe(15) for _ in range(num_passwords)]
+
+    def closure(b, passwords):
+        b.wait()
+        for password in passwords:
+            assert hasher.verify(hasher.hash(password), password)
+
+    max_workers = 4
+
+    chunks = [passwords[i::max_workers] for i in range(max_workers)]
+    orig_interval = sys.getswitchinterval()
+
+    with ThreadPoolExecutor(max_workers=max_workers) as tpe:
+        barrier = threading.Barrier(max_workers)
+        futures = []
+        try:
+            sys.setswitchinterval(0.00001)
+            for chunk in chunks:
+                futures.append(tpe.submit(closure, barrier, chunk))  # noqa: PERF401
+        finally:
+            sys.setswitchinterval(orig_interval)
+            if len(futures) < max_workers:
+                barrier.abort()
+        for f in futures:
+            f.result()
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@ -1,6 +1,7 @@
 # SPDX-License-Identifier: MIT

 from base64 import b64encode
+from dataclasses import replace

 import pytest

@ -9,7 +10,7 @@ from hypothesis import strategies as st

 from argon2 import Parameters, Type, extract_parameters
 from argon2._utils import NoneType, _check_types, _decoded_str_len
-from argon2.exceptions import InvalidHash
+from argon2.exceptions import InvalidHashError


 class TestCheckTypes:
@ -105,24 +106,24 @@ class TestExtractParameters:
        """
        Invalid hashes of various types raise an InvalidHash error.
        """
-        with pytest.raises(InvalidHash):
+        with pytest.raises(InvalidHashError):
            extract_parameters(hash)


 class TestParameters:
    def test_eq(self):
        """
-        Parameters are iff every attribute is equal.
+        Parameters are equal iff every attribute is equal.
        """
-        assert VALID_PARAMETERS == VALID_PARAMETERS
-        assert not VALID_PARAMETERS != VALID_PARAMETERS
+        assert VALID_PARAMETERS == VALID_PARAMETERS  # noqa: PLR0124
+        assert VALID_PARAMETERS != replace(VALID_PARAMETERS, salt_len=9)

    def test_eq_wrong_type(self):
        """
        Parameters are only compared if they have the same type.
        """
        assert VALID_PARAMETERS != "foo"
-        assert not VALID_PARAMETERS == object()
+        assert VALID_PARAMETERS != object()

    def test_repr(self):
        """
--- a/tests/typing/api.py
+++ b/tests/typing/api.py
@ -1,10 +1,13 @@
 import argon2


+argon2.PasswordHasher.from_parameters(argon2.profiles.RFC_9106_HIGH_MEMORY)
 ph = argon2.PasswordHasher()

 ph.hash("pw")
+ph.hash("pw", salt=b"salt")
 ph.hash(b"pw")
+ph.hash(b"pw", salt=b"salt")
 ph.verify("hash", "pw")
 ph.verify(b"hash", "pw")
 ph.verify(b"hash", b"pw")
@ -12,3 +15,5 @@ ph.verify("hash", b"pw")

 if ph.check_needs_rehash("hash") is True:
    ...
+
+params: argon2.Parameters = argon2.profiles.get_default_parameters()
--- a/tox.ini
+++ b/tox.ini
@ -1,144 +1,134 @@
-[flake8]
-exclude = src/argon2/_ffi.py
-ignore =
-    # Ambiguous variable names
-    # Ignored, since there is an enum value "I" for the algorithm type Argon2I
-    E741
-    # Not an actual PEP8 violation
-    W503
-    # Black vs flake8 conflict
-    E203
-
-
-# Keep docs in sync with docs env and .readthedocs.yml.
-# We don't run pre-commit in CI, because we use pre-commit.ci.
-[gh-actions]
-python =
-    3.6: py36
-    3.7: py37
-    3.8: py38
-    3.9: py39, mypy
-    3.10: py310, cogCheck, docs, bindings-main
-    pypy-3: pypy3
-
-
 [tox]
-envlist = pre-commit,mypy,cogCheck,cog,py36,py37,py38,py39,py310,pypy3,system-argon2,bindings-main,docs,pypi-description,coverage-report
-isolated_build = true
+min_version = 4.25
+env_list =
+    pre-commit,
+    py3{9-14}-{tests,mypy},
+    py314t-tests,
+    py314-tests-{bindings-main,system-argon2},
+    pypy3-tests,
+    typing-{pyright,ty,pyrefly,mypy}
+    docs-doctests,
+    coverage-{combine,report}


-[testenv:docs]
-description = Build docs and run doctests.
-# Keep basepython in sync with gh-actions and .readthedocs.yml.
-basepython = python3.8
-extras = docs
+[testenv]
+description = Run tests / check types and do NOT measure coverage.
+package = wheel
+wheel_build_env = .pkg
+dependency_groups =
+    tests: tests
+    mypy: typing
+pass_env =
+    FORCE_COLOR
+    NO_COLOR
 commands =
-    python -m doctest README.rst
-    sphinx-build -W -b html -d {envtmpdir}/doctrees docs docs/_build/html
-    sphinx-build -W -b doctest -d {envtmpdir}/doctrees docs docs/_build/html
+    tests: pytest {posargs}
+    tests: python -Im argon2 -n 1 -t 1 -m 8 -p 1
+    mypy: mypy tests/typing
+
+
+[testenv:py3{9,14}-tests]
+# Keep coverage-combine's depends with the versions.
+description = Run tests and measure coverage.
+deps = coverage[toml]
+commands =
+    coverage run -m pytest {posargs}
+    coverage run -m argon2 -n 1 -t 1 -m 8 -p 1
+    coverage run -m argon2 --profile CHEAPEST
+
+
+# Split combine/report in 2 to avoid excessive "Combined data file ..." output.
+[testenv:coverage-combine]
+# Keep base_python in-sync with .python-version-default
+base_python = py313
+# Keep in-sync with test env definition above.
+depends = py3{9,14}-tests
+skip_install = true
+deps = coverage
+commands = coverage combine
+
+[testenv:coverage-report]
+description = Report coverage over oldest and latest supported Python
+# Keep base_python in-sync with .python-version-default
+base_python = py313
+skip_install = true
+depends = coverage-combine
+deps = coverage
+parallel_show_output = true
+commands = coverage report
+
+[testenv:system-argon2]
+description = Run tests against bindings that use a system installation of Argon2.
+set_env = ARGON2_CFFI_USE_SYSTEM=1
+install_command = pip install {opts} --no-binary=argon2-cffi-bindings {packages}
+
+[testenv:py312-bindings-main]
+description = Run tests against the current main branch of argon2-cffi-bindings
+dependency_groups =
+deps =
+commands_pre = pip install -I hypothesis pytest git+https://github.com/hynek/argon2-cffi-bindings
+install_command = pip install {opts} --no-deps {packages}


 [testenv:pre-commit]
 description = Run all pre-commit hooks.
-basepython = python3.10
 skip_install = true
-deps = pre-commit
-passenv = HOMEPATH  # needed on Windows
+deps = pre-commit-uv
 commands = pre-commit run --all-files


-[testenv:mypy]
-description = Check types
-basepython = python3.9
-extras = tests
+[testenv:typing-mypy]
+description = Check own code with Mypyy.
+# Keep base_python in-sync with .python-version-default
+base_python = py313
 deps = mypy
-commands = mypy src typing_examples.py
+dependency_groups = typing
+commands = mypy src
+
+[testenv:typing-pyright]
+description = Check API and own code with Pyright
+deps = pyright
+dependency_groups = typing
+commands = pyright src tests/typing
+
+[testenv:typing-ty]
+description = Check API with ty
+deps = ty
+dependency_groups = typing
+commands = ty check src tests/typing
+
+[testenv:typing-pyrefly]
+description = Check API with pyrefly
+deps = pyrefly
+dependency_groups = typing
+commands = pyrefly check src tests/typing


-[testenv:cog]
-description = "Update pyproject.toml's metadata"
-skip_install = true
-deps =
-    cogapp>=3.3.0
-    tomli
-commands = python -m cogapp -rP pyproject.toml
-
-
-[testenv:cogCheck]
-description = "Ensure pyproject.toml is up to date"
-basepython = python3.10
-skip_install = true
-deps = {[testenv:cog]deps}
-commands = python -m cogapp --check -P pyproject.toml
-
-
-[testenv:py37]
-description = Run tests and measure coverage.
-extras = tests
+[testenv:docs-{build,doctests,linkcheck}]
+# Keep base_python in sync with .readthedocs.yaml.
+base_python = py313
+dependency_groups = docs
 commands =
-    coverage run -m pytest {posargs}
-    coverage run -m argon2 -n 1 -t 1 -m 8 -p 1
-    coverage run -m argon2 --profile CHEAPEST
+    build: sphinx-build -n -T -W -b html -d {envtmpdir}/doctrees docs {posargs:docs/_build/}html
+    doctests: python -m doctest README.md
+    doctests: sphinx-build -n -T -W -b doctest -d {envtmpdir}/doctrees docs {posargs:docs/_build/}html
+    linkcheck: sphinx-build -W -b linkcheck -d {envtmpdir}/doctrees docs docs/_build/html

-
-[testenv:py310]
-description = Run tests and measure coverage.
-extras = tests
+[testenv:docs-watch]
+package = editable
+base_python = {[testenv:docs-build]base_python}
+dependency_groups = {[testenv:docs-build]dependency_groups}
+deps = watchfiles
 commands =
-    coverage run -m pytest {posargs}
-    coverage run -m argon2 -n 1 -t 1 -m 8 -p 1
-    coverage run -m argon2 --profile CHEAPEST
+    watchfiles \
+        --ignore-paths docs/_build/ \
+        'sphinx-build -W -n --jobs auto -b html -d {envtmpdir}/doctrees docs docs/_build/html' \
+        src \
+        docs \
+        README.md \
+        CHANGELOG.md

-
-[testenv:coverage-report]
-description = Report coverage over all test runs.
-depends = py310
-basepython = python3.10
-deps = coverage[toml]>=5.0.2
-skip_install = true
-commands =
-    coverage combine
-    coverage report
-
-
-[testenv]
-description = Run tests and do NOT measure coverage.
-extras = tests
-commands =
-    python -m pytest {posargs}
-    python -m argon2 -n 1 -t 1 -m 8 -p 1
-
-
-[testenv:system-argon2]
-description = Run tests against bindings that use a system installation of Argon2.
-basepython = python3.8
-setenv = ARGON2_CFFI_USE_SYSTEM=1
-extras = tests
-install_command =
-    pip install {opts} --no-binary=argon2-cffi-bindings {packages}
-commands =
-    python -m pytest {posargs}
-    python -m argon2 -n 1 -t 1 -m 8 -p 1
-
-
-[testenv:bindings-main]
-description = Run tests against the current main branch of argon2-cffi-bindings
-basepython = python3.10
-extras = tests
-install_command =
-    pip install {opts} --no-deps {packages}
-commands =
-    pip install hypothesis pytest git+https://github.com/hynek/argon2-cffi-bindings
-    python -m pytest {posargs}
-    python -m argon2 -n 1 -t 1 -m 8 -p 1
-
-
-[testenv:pypi-description]
-description = Ensure README.rst renders on PyPI.
-skip_install = true
-deps =
-    twine
-    pip >= 18.0.0
-commands =
-    pip wheel -w {envtmpdir}/build --no-deps .
-    twine check {envtmpdir}/build/*
+[testenv:docs-linkcheck]
+base_python = {[testenv:docs]base_python}
+dependency_groups = {[testenv:docs]dependency_groups}
+commands = sphinx-build -W -b linkcheck -d {envtmpdir}/doctrees docs docs/_build/html