The one rule for this entire pillar
None of these tools are for secrecy. Base64 is encoding, not encryption. JWT decoding shows you claims but proves nothing. MD5 and SHA hashes are fast by design — exactly what you don't want for passwords. If you need actual secrecy or authentication, use:
- For passwords: bcrypt, argon2id, or scrypt. Never a fast hash.
- For secrecy: AES-GCM or equivalent AEAD via WebCrypto / libsodium. Not in a web form.
- For auth tokens: generate and verify server-side with a real JWT library, never trust a decoded JWT as authenticated.
Why these tools live together
Encoding and inspection utilities share a security posture: they handle inputs that are sometimes sensitive (tokens, API keys, personal data). That's why every tool in this pillar runs 100% in your browser — no server, no log files, no request trails. Open DevTools → Network and paste a token: zero requests.
They also share a workflow. Devs don't use just one of them — they chain:
- Decode a JWT → inspect the payload → spot an ID that looks like a hash → verify in the Hash Generator.
- Receive a
data:URL → strip to pure Base64 → decode → save somewhere. - Build a URL with query params → percent-encode the values → smoke-test the whole URL.
- Generate UUIDs for test fixtures → use them as idempotency keys in real requests.
Standards these tools follow
- Base64: RFC 4648 (standard + URL-safe variants)
- URL encoding: RFC 3986 + application/x-www-form-urlencoded
- JWT: RFC 7519 (claims), RFC 7515 (signing / JWS)
- Hashes: FIPS 180-4 for SHA-1/SHA-2 family, RFC 1321 for MD5
- UUIDs: RFC 9562 (supersedes 4122); v4 and v7 supported
All 9 tools in this pillar
- Base64 Encoder / Decoder — Encode and decode Base64 strings and files. Client-side, safe for sensitive data.
- URL Encoder / Decoder — Percent-encode and decode URLs per RFC 3986.
- JWT Decoder — Decode and inspect JSON Web Tokens. Local-only — tokens never leave your browser.
- UUID Generator — Generate UUID v4 and v7 identifiers in bulk.
- Hash Generator — Generate MD5, SHA-1, SHA-256, and SHA-512 hashes client-side.
- QR Code Generator — Generate QR codes for URLs, text, Wi-Fi, contact cards. Custom size, colors, error correction. Download as PNG or SVG. 100% client-side.
- Password Generator — Generate strong random passwords with configurable length, character classes, and exclusions. Real entropy meter, crack-time estimate, bulk mode.
- Number Base Converter — Convert between binary, octal, decimal, hexadecimal, and text (UTF-8). Handles arbitrary lengths. Per-byte and per-character views.
- ROT13 / Caesar Cipher — Encode and decode ROT13 and arbitrary Caesar shifts. Letter frequency analysis. 100% client-side.
Further reading
- Base64: How It Actually Works Under the Hood
- When You Should NOT Use Base64 Encoding
- Percent Encoding and RFC 3986 Explained
- Decoding a JWT Is Not the Same as Verifying It
- MD5 Is Dead. Use These Instead
- UUID v4 vs v7 for Databases: The Benchmark You Need
Other pillars
- Data & Format — JSON, YAML, XML, CSV, SQL, Markdown.
- Dev Productivity — regex, cron, timestamps, HTTP, color, word counter, aspect ratio, case.
- Frontend & Design — Flexbox, Grid, box shadow, favicon.
Curated and maintained by Mian Ali Khalid. Last updated 2026-04-25.