What is new

The OIDC decoder's entire interface - input labels, badges, panels, claim categories and field labels, the assessment reasons, and the authorization-code flow diagram - is now translated across all 16 locales.

OIDC decoder

The OIDC tool now shows a theme-aware diagram of the OpenID Connect authorization-code flow, from the authorization request through token exchange, ID token validation against the JWKS, and the optional UserInfo call. Each step names the same discovery-document endpoint the decoder reports.

OIDC decoder

The post-quantum key-exchange groups reference is now translated across all 16 locales, so its labels and explanations read natively instead of falling back to English.

Cipher-suite decoder

The cipher tool now includes a reference for the TLS supported_groups - the key-agreement groups negotiated separately from the cipher suite - with the post-quantum ML-KEM hybrids featured. X25519MLKEM768 (0x11EC), SecP256r1MLKEM768, and SecP384r1MLKEM1024 are shown alongside the classical ECDHE and finite-field groups, each flagged by type, post-quantum status, and recommended/obsolete state. Backed by a golden-vector-tested name and code-point decoder.

Cipher-suite decoder

The SCT panel's labels and explanatory text are now translated across all 16 locales, so embedded Certificate Transparency timestamps read natively instead of falling back to English.

X.509 inspector

The X.509 decoder now decodes the signedCertificateTimestampList extension (RFC 6962) instead of just naming it: each embedded SCT's version, log ID, logged-at timestamp, and signature algorithm are shown. Structural decode only - the SCT signatures are not verified, which would need the CT log's public key. Golden-vector tested against hand-built SCT lists and validated end-to-end against a certificate carrying the extension.

X.509 inspector

The CSR decoder's interface — input labels, result cards, the requested-extension and attribute labels, and the error messages — is now translated across all 16 locales (40 strings each), so the tool reads natively instead of falling back to English.

CSR decoder

Decode a PKCS#10 certificate signing request (RFC 2986) entirely in the browser: subject, public key, requested SANs and extensions, the legacy challenge-password and unstructured-name attributes, and the self-signature. A CSR is a request, not a certificate, so there are no validity dates, serial, or issuer to read. Deterministic, golden-vector tested against OpenSSL-generated RSA, EC and Ed25519 requests, and never uploaded.

CSR decoder

The planner's interface — input labels, result cards, the SC-081v3 schedule table, the projection, and the guidance notes — is now translated across all 16 locales (44 strings each), so the tool reads natively instead of falling back to English.

Certificate renewal planner

The five certificate renewal planner articles — the 47-day schedule, validity windows, DCV/SII reuse, renewing with ACME and ARI, and public vs private PKI — are now translated to Brazilian Portuguese, bringing pt-BR to parity with English for this set.

Certificate renewal planner

Five new Learn articles back the certificate renewal planner: the CA/Browser Forum path to 47-day certificates, how validity windows and renewal lead time work, the shrinking DCV and SII validation-reuse periods, renewing on time with ACME and ARI, and why the rules bind public TLS but not private PKI. English first; other locales follow.

Certificate renewal planner

The Share-an-idea feedback page, plus the last English-fallback paragraphs on the colophon, API, and license pages, are now translated across all sixteen languages, bringing every non-article static page to full locale parity. The feedback page now explicitly invites bugs, mistakes, and inaccuracies.

The syslog PRI decoder now shows how a single PRI integer splits into its two fields - dividing by 8 gives the facility and the remainder gives the severity - with the worked example of PRI 134.

Syslog PRI decoder + encoder

The HMAC generator now shows the two-pass construction - the key XORed with an inner pad around the message and hashed, then XORed with an outer pad around that result and hashed again - the structure that makes HMAC resistant to length-extension.

HMAC

The JWKS explainer now shows how a verifier selects a key - a JWT header's kid is matched against the keys in the set, picking the one with the same kid to check the signature.

JWKS explainer + key matcher

The JWT decoder now shows the token's three base64url segments - header, payload, and signature - colour-coded and joined by dots, with the header and payload bracketed as the signing input that the signature is computed over.

JWT decoder

The SAML decoder now shows the SP-initiated web-browser SSO round trip - the AuthnRequest, the redirect to the identity provider, authentication, the signed assertion, and the POST back to the service provider - so a decoded message can be placed in the wider flow.

SAML decoder

The first of a certificate-lifecycle set. Enter a TLS certificate's issue and expiry dates to see its validity length, whether that length fits the CA/Browser Forum SC-081v3 schedule (the 398 -> 200 -> 100 -> 47-day reduction running to 2029), the renewal cadence it implies and how that escalates at every future cap, the domain and identity validation-reuse windows for its issuance era, and a recommended renew-by date. All offline, in your browser; publicly trusted TLS certificates only.

Certificate renewal planner

Decoding a client-ssl or server-ssl profile now draws the BIG-IP SSL data path — client, BIG-IP, pool member — and lights up the TLS leg the profile actually governs: a client-ssl profile on the client-side leg it terminates, a server-ssl profile on the server-side leg it initiates, with the profile named on that leg. The note spells out the offload-versus-re-encrypt consequence. This closes the Tier 1 SVG retrofits. Vector, theme-aware, parsed entirely in the browser.

F5 SSL profile explainer

Decoding an IPv6 address now draws its 128 bits as eight hextet cells over a 0-128 bit ruler, with the prefix boundary drawn at the actual /N — shading the network prefix apart from the host portion, and naming the 64-bit interface identifier when the split lands on /64. With no prefix supplied, a dashed line marks the conventional /64 boundary instead. The fourth of the Tier 1/2 SVG retrofits, and the right shape for 128 bits where a per-bit grid would not fit. Vector, theme-aware, all in the browser.

IPv6 toolkit

Alongside the binary bit-grid, a subnet now gets an address-layout strip: the network address and the broadcast address as reserved cells at each end, with the usable-host span shaded between them and the first/last host range named. A /31 or /32 collapses to a single all-usable bar, since RFC 3021 reserves neither network nor broadcast there. The third of the Tier 1/2 SVG retrofits. Vector, theme-aware, computed entirely in the browser.

CIDR / subnetting

Decoding a certificate now draws a small chain-of-trust diagram — root CA, intermediate CA, end-entity — and highlights where the pasted certificate sits: a self-signed certificate lights up the root, a CA certificate the intermediate, and an ordinary certificate the leaf, with its subject and issuer named and the self-signed case called out. The second of the Tier 1/2 SVG retrofits. Vector and theme-aware; the certificate never leaves the browser.

X.509 inspector

The PKCE generator gains an inline sequence diagram of the S256 authorization-code flow — generate a code_verifier, derive the code_challenge, carry it on the /authorize request, get an authorization code, send the verifier on the /token request, and have the server re-derive and compare before issuing tokens — colour-coded by who acts (app vs authorization server). It is the first of the Tier 1/2 SVG retrofits across existing tools. Vector and theme-aware; nothing about the tool leaves the browser.

PKCE helper

Toggle the profile stack on a BIG-IP virtual server — client-SSL, HTTP, server-SSL, pool, or FastL4 — and see the order the common iRule events fire, from CLIENT_ACCEPTED through CLIENT_CLOSED, as a color-coded timeline (the toolbox's first inline diagram) and an ordered list, with the conditional events (TCP/HTTP collect, LB failure, 100 Continue) called out and where each one slots in. The sequence is pinned to F5 Clouddocs and the DevCentral event-order capture. Five Learn articles ship alongside it. It is a model of documented behaviour that runs entirely in the browser and never contacts a device.

iRule event order

Paste a Unix timestamp — the unit (seconds, milliseconds, microseconds, or nanoseconds) is read from its magnitude and stated back to you — or an ISO-8601 date, and get the instant in every common form: the UTC calendar breakdown with weekday and day-of-year, ISO 8601, RFC 3339, the HTTP date, and the timestamp in all four units. Negative timestamps and the Year 2038 boundary are flagged. Five Learn articles ship alongside it. The conversion is pure date math that runs entirely in the browser; a Now button and a relative-to-your-clock line are the only parts that read the wall clock.

Unix time converter

Paste a tmsh client-ssl or server-ssl profile and get its role, the TLS protocol matrix derived from the options field (which version each no- flag permits or blocks), and a 🟢/🟡/🟠/🔴 security read covering chain building, renegotiation, SNI, OCSP stapling, and mutual-TLS validation — each setting explained. Five Learn articles ship alongside it. Parsing runs entirely in the browser; it never contacts a device.

F5 SSL profile explainer

Queued an iControl REST path explainer — which decodes /mgmt/tm/... URLs, the tilde-encoded ~partition~ paths, and the query options, and shows the matching tmsh path — and an iControl REST stats decoder that flattens F5's deeply nested stats JSON into readable key-values. Both are offline and never contact a device.

The license, colophon, and API copy were reworded in every live language to match how things work now: each tool is self-contained and runs entirely in the browser, with no upstream engine imported at runtime. The determinism and privacy guarantees are unchanged.

Queued an Expect script explainer — which breaks down spawn, expect, send, and timeout blocks and flags pitfalls like hardcoded credentials and a missing timeout — and an Expect pattern tester for the glob, -re, and -ex match modes. Both are static and offline; neither runs a script.

The CIDR tool was the last piece still calling an external compute package; its single-subnet analysis (cidrAnalyze) has been brought in-house, with output verified byte-for-byte against what it replaced. The site no longer depends on any external engine at runtime.

Compile, test, and explain JavaScript regular expressions in one place: live matches with positional and named capture groups highlighted, a plain-language token breakdown of what the pattern does, and a static check that warns before a catastrophic-backtracking (ReDoS) pattern runs against your text — so a single keystroke cannot freeze the page. Ships with three Learn articles. Everything runs in the browser.

Regex toolkit

The subnet mode now draws the address as 32 bits across its four octets, showing the binary and decimal value of each octet and highlighting the network bits apart from the host bits. A prefix-length slider lets you drag the mask from /0 to /32 and watch the split move.

CIDR / subnetting

Two tools derived from the Wireshark f5ethtrailer dissector were added to the roadmap: an F5 Ethernet trailer decoder (Low, Medium, and High details: ingress, slot, TMM, VIP, flow and peer IDs, RST cause, peer info; it ignores the TLS keylog provider) and an F5 TCP RST cause explainer.

A new tool that breaks down a JSON Web Key Set: it explains every key (type, use, algorithm, size), flags any private or symmetric key material that should never appear in a published set, and matches a JWT to its key by kid. It completes the JWT and OIDC verification story and never fetches a jwks_uri. Shipped with three Learn articles.

JWKS explainer + key matcher

A new tool that decodes a syslog PRI value (such as 134) into its facility and severity, or encodes a facility and severity back into a PRI and its on-the-wire form. It notes the common network-device facility defaults (FortiGate local7, Cisco ASA local4, F5 BIG-IP local0). Shipped with three Learn articles.

Syslog PRI decoder + encoder

Four logging and SIEM tools were added to the roadmap: a CEF decoder (ArcSight), a Splunk HEC event explainer, a LEEF decoder (QRadar) in a new logging category, and an F5 high-speed logging and log-profile explainer.

Nine tools were added to the roadmap. Two syslog tools (a PRI decoder and encoder, and a full RFC 5424 / RFC 3164 message parser) and four API tools (a JWKS explainer and key matcher, a CORS preflight explainer, a webhook signature verifier, and an OpenAPI explainer) were ranked by value. A cloud-native set (Kubernetes NetworkPolicy, RBAC, and kubeconfig explainers) was added in a new category at the end of the queue.

A new tool that parses an F5 BIG-IP cipher string, explains every keyword and operator, and flags weak or deprecated choices alongside forward secrecy. It recognizes the pre-built rules (f5-default, f5-secure, f5-ecc). It deliberately does not reproduce the exact per-TMOS ordered suite list, which depends on the platform version. Shipped with three Learn articles.

F5 cipher-string explainer

A new tool that reads BIG-IP persistence profiles and virtual servers, explains each method (cookie, source-address, SSL, universal, hash, and more) with its real failure modes, and resolves each virtual's primary and fallback persistence chain. It reuses the tmsh parser and pairs with the persistence cookie decoder. Shipped with three Learn articles.

Persistence-method explainer

A new tool that parses a BIG-IP bigip.conf snippet and explains its objects, virtual servers, pools, monitors, profiles, and iRules, in plain English. Shipped with three Learn articles.

tmsh config explainer

A new tool that converts between JSON and YAML in the browser, flagging dropped comments, expanded anchors, and number-precision limits. Useful for moving between F5 AS3/DO (JSON) and Kubernetes, Ansible, or CI (YAML). Shipped with three Learn articles.

JSON ↔ YAML converter

A new tool that formats and validates JSON with precise error locations, structural statistics, and duplicate-key detection. Shipped with three Learn articles.

JSON formatter & validator

A new tool that parses a URL into its components, decodes query and path encoding, and explains each part, introducing the new HTTP and web tool category. Shipped with three Learn articles.

URL inspector

A new tool that decodes F5 BIG-IP persistence cookies across all four encoding formats, detects encrypted cookies, and can also encode a cookie from a pool member. Shipped with Learn articles.

BIG-IP persistence cookie

A new tool that decodes OpenID Connect ID tokens (reusing the JWT engine) and .well-known/openid-configuration documents, flagging missing claims, the none algorithm, and PKCE method. It never calls the jwks_uri. Shipped with Learn articles.

OIDC decoder

A new tool that decodes and explains SAML assertions and metadata using an XXE-hardened XML parser, with the mandatory external-entity rejection. Shipped with Learn articles.

SAML decoder

A new tool that analyzes HTTP security response headers across 25 headers with detailed reason codes, the first tool of the ranked build sprint. Shipped with five Learn articles.

Secure headers

The full tool roadmap was ranked end to end and persisted into the catalogue. The tools index was reorganized to list tools alphabetically, with Learn articles in a curated reading order.

Site search moved from grouped results to pure relevance ranking, and now labels each result as a tool, an article, or a page.

The base64 tool was rebuilt into a single codec covering base64, base64url, base32, base16/hex, and percent-encoding, with four new Learn articles.

Base64 / Base32 / Hex / Percent codec

The CIDR tool was rebuilt and moved to its own canonical page, with new Learn articles.

CIDR / subnetting

Additional locales were scaffolded, bringing the total to 42, including right-to-left layout support for the relevant scripts.

Full message packs were completed across all sixteen live locales. A machine-translation notice and a Contribute page were added, with downloadable language packs for community review.

The site launched on Cloudflare Workers with ten client-side tools (JWT, PKCE, X.509, cipher-suite, IPv6, CIDR, base64, hash, HMAC, and UUID), the Learn article system, Pagefind search, an eight-theme switcher, and the full About, Certifications, and Training sections. Every tool runs entirely in the browser with no telemetry.

JWT decoder · PKCE helper · X.509 inspector · Cipher-suite decoder · IPv6 toolkit · CIDR / subnetting · Base64 / Base32 / Hex / Percent codec · Hash · HMAC · UUID