Get started
HomeEncoding & Security
10 tools

Encoding & Security

Encode, hash, decode & verify

Encoding, decoding, hashing, and token inspection tools for day-to-day security and auth work. JWT Decoder inspects bearer tokens without hitting a server. Base64 and URL encoders/decoders handle the common text-transport formats. Hash Generator computes SHA-1/256/384/512 of text or files; HMAC Generator signs messages with a shared key. Password Generator produces cryptographically strong passwords; Password Strength analyses existing ones. All tools use the browser's Web Crypto API, so cryptographic operations run at native speed and your secrets never leave the device.

Flagship tools · fully interactive
JWT Decoder
Inspect JWT payloads
Password Generator
Strong, customizable passwords
Choosing between these tools

For **checking** the contents of a JWT, use JWT Decoder — its UI surfaces header, payload, and expiry separately. For **generic Base64** work on arbitrary text, use Base64 Encode / Base64 Decode. For URL query values, URL Encode / URL Decode are purpose-built. To **hash** text or files (for fingerprints, checksums, or deduplication), use Hash Generator. To **sign** a message with a shared key (API request signing, webhook verification), use HMAC Generator. Password Generator makes new passwords; Password Strength rates an existing one.

All encoding & security
Base64 Encode
Encode text to Base64
Base64 Decode
Decode Base64 strings
URL Encode
Percent-encode text
URL Decode
Decode URL encoding
Hash Generator
MD5, SHA-256, SHA-512
Strength Checker
Entropy & crack-time estimate
HMAC Generator
HMAC with any hash
SSL Checker
Inspect SSL certificates
Frequently asked
Can any of these tools store or log the data I enter?

No. Every tool in this category runs client-side only — the wrapper in lib/analytics.ts sends tool-open / tool-upload / tool-success events (no content) to GA4 only if you've accepted the consent banner. Your keys, tokens, and passwords stay local.

Is the password generator cryptographically secure?

Yes — it uses crypto.getRandomValues() via the Web Crypto API. No Math.random() anywhere. The same API is used for UUIDs and Random Number.

Why no MD5 in Hash Generator?

MD5 is cryptographically broken and deprecated for anything security-adjacent. For integrity checksums that don't need cryptographic strength, SHA-1 and SHA-256 are safe to use and roughly the same speed.

Does JWT Decoder verify signatures?

No. Verification requires the issuer's public key and is typically done server-side in code. The decoder shows you the token's contents so you can debug — it doesn't validate trust.

Are any of these tools uploading my files?

No. Every tool in this category runs entirely in your browser. Files you drop in are processed locally, never sent to a server, and discarded when you leave the page.