Encoding, Hashing & Security Tools
Base64, URL encoding, hash generation, passwords, and JWT decoding — security-adjacent utilities.
Encoding, hashing, and auth-token handling come up constantly in web development and operations. Every tool in this section runs in-browser, so trying out tokens with sensitive content does not send them anywhere. The one habit to keep is not pasting real production secrets while screen-sharing.
Tools in this topic (14)
Base64 Encode / Decode
Encode and decode Base64 in your browser
Image to Base64 (Data URL)
Encode image files to Base64 or a data URL for CSS / HTML inline embedding
URL Encode / Decode
Encode and decode URL strings in your browser
HTML Entity Encoder / Decoder
Encode and decode HTML entities instantly in your browser
Punycode Converter
Convert internationalized domain names between Unicode and Punycode
Text to Binary Converter
Convert text to binary (0s and 1s) and back
Binary ↔ Text Converter
Convert between text and binary representation
Hash Generator
Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes in your browser
HMAC Generator
Generate HMAC using SHA-1, SHA-256, SHA-384, or SHA-512 in your browser
JWT Decoder
Decode and inspect JSON Web Tokens (JWT) instantly in your browser
JWT Generator (HS256/384/512)
Generate signed JWTs from a header, payload, and secret. Signing via Web Crypto
UUID Generator
Generate UUID v4 or v7 instantly in your browser with one click
ULID / NanoID / Snowflake Generator
Generate ULID, NanoID, or Snowflake IDs in your browser — pick the right format for your keys, tokens, or distributed system
Password Generator
Generate secure random passwords
Related articles
-
Base64 padding deep dive: when `=` is required, when it's optional, and how libraries disagree
What the trailing `=` characters in Base64 actually do, where RFC 4648 explicitly allows omission, how each language''s standard library handles padded vs unpadded input, and where JWT''s no-padding convention comes from.
-
URL fragment (`#`) gotchas: server invisibility, SPA routing, OAuth implicit flow leaks, and scroll restoration
The URL fragment after `#` is intentionally not sent to the server, per RFC 3986 §3.5. That single rule cascades into "fragments don''t appear in server logs," "SPA hash routing has SEO costs," "OAuth implicit flow can leak access tokens," and several other recurring traps.
-
Picking an ID scheme: UUID v4 / v7, ULID, NanoID, and Snowflake by use case
A use-case-driven comparison of five ID schemes — UUID v4, UUID v7, ULID, NanoID, and Snowflake — covering database keys, public-facing tokens, and distributed-ID generation, with a decision flow for new projects.
-
5 JWT implementation pitfalls still hitting production in 2026
alg=none, kid injection, missing exp validation, tokens without expiration, and brittle key rotation — five JWT vulnerabilities that keep recurring, with concrete attack scenarios and fixes for each.
-
Choosing a URL-safe encoding: Base64url vs Base32 vs Base58 vs hex
A side-by-side comparison of four byte-to-text encodings — alphabet, output length, and the practical pitfalls of each — with concrete recommendations for JWTs, TOTP secrets, crypto addresses, and hash display.
-
Why Base64 grows by 4/3, and how URL-safe Base64 differs
How Base64 works, the 3-byte to 4-character mapping, why output is roughly 33% larger, and the URL-safe variant that swaps `+/` for `-_`.
-
How to choose between MD5, SHA-1, and SHA-256 in practice
Differences between MD5, SHA-1, and SHA-256, the state of collision attacks, and which to use for checksums vs signatures vs password storage.
-
HMAC vs hash: why message authentication needs a key
How HMAC differs from a plain hash, why adding a key turns hashing into authentication, and where HMAC fits in real protocols.