User guide

How to use this site

A practical guide to the toolbox: what is here, how each tool works, which tools to reach for, and how the site handles privacy, languages, and offline use. Everything computes locally in your browser.

At a glance

The essentials in one panel. These figures are generated from the site itself at build time, so they always match what is actually published.

Live tools
64
Categories
10
Learn articles
241
Languages
16
Where it runs
In your browser, on your device
Your input
Never sent anywhere by default
Code license
Apache-2.0
Content license
CC BY 4.0
Built with
Next.js, a statically exported progressive web app
Price
Free to use; the first useful answer is never behind a paywall

Tool reference

Every general-purpose tool, grouped by category. This list is generated from the live registry, so it is always complete. Tools tied to a specific vendor live on that vendor's page.

Certificates & PKI

  • Certificate renewal plannerWork out a TLS certificate's validity, whether it fits the CA/Browser Forum 47-day schedule, and the renewal cadence it implies — all offline.
  • CSR decoderDecode a PKCS#10 certificate signing request to read its subject, public key, requested SANs and extensions, and attributes — entirely in your browser.
  • X.509 Certificate DecoderPaste a PEM, base64, or hex certificate to read its subject, issuer, validity window, public key, and v3 extensions, with SHA-256 and SHA-1 fingerprints. Runs entirely in your browser.

Encoding & data

  • Base64, Base32, Hex & Percent CodecEncode text to Base64, URL-safe Base64, Base32, hexadecimal, or percent-encoding, and decode any of them back. Tolerant of missing padding and whitespace, and it flags binary (non-UTF-8) results. Runs entirely in your browser.
  • JSON ↔ YAML ConverterConvert JSON to block-style YAML or YAML back to JSON, entirely in your browser. Parse errors point to the exact line and column, and conversion notes flag the lossy edges like dropped comments and expanded anchors.
  • JSON Formatter & ValidatorValidate, pretty-print, minify, and sort JSON. Parse errors point to the exact line, column, and path; duplicate keys are flagged; and large numbers are preserved exactly. Runs entirely in your browser.
  • Unix time converterType a Unix timestamp — seconds, milliseconds, microseconds, or nanoseconds, detected automatically — or an ISO-8601 date, and read it back in every common format. All in your browser.

Hashing & crypto

  • Hash Generator (SHA-1/256/384/512)Compute SHA-1, SHA-256, SHA-384, and SHA-512 digests of any text, shown as hex and Base64, using the browser's native Web Crypto. Runs entirely in your browser.
  • Hash Preimage FinderWatch a bounded, local brute-force search recover a weak hash input in seconds, or run out of keyspace on anything with real entropy. No wordlist, no table, just your browser. A demonstration of why fast, unsalted hashes fail.
  • HMAC Generator (SHA-256/384/512)Compute a keyed HMAC over a message with your secret key, shown as hex and Base64, via the browser's native Web Crypto. The same construction the JWT verifier uses for HS256. Your key never leaves your browser.

Identifiers

  • UUID Generator & Inspector (v4 / v7)Generate random v4 or time-ordered v7 UUIDs, or paste any UUID to read its version, variant, and (for v7) the embedded creation timestamp. Generation uses the browser's secure random source. Runs entirely in your browser.

Identity & tokens

  • JWKS explainer + key matcherPaste a JSON Web Key Set to break down every key, flag any private material, and match a JWT to its key by kid. Nothing leaves your browser.
  • JWT Decoder & VerifierDecode a JSON Web Token's header and claims, read its expiry and timing in plain language, and verify an HS256/384/512 signature with a pasted secret. Runs entirely in your browser.
  • OAuth PKCE Verifier & ChallengeGenerate an OAuth 2.0 code_verifier and derive its S256 code_challenge, or paste your own and check it against RFC 7636's length and charset rules. The same SHA-256 base64url derivation your authorization server expects. Runs entirely in your browser.
  • OIDC DecoderPaste an OpenID Connect ID token or a .well-known/openid-configuration document and decode it: the core claims, profile claims, endpoints, and capabilities, with checks for required claims, signing algorithm, nonce, and PKCE.
  • SAML DecoderPaste a SAML Response or assertion (raw, base64, or URL-encoded) and decode its issuer, status, subject, conditions, audience, and attributes, with signature and weak-algorithm checks. Hardened against XXE.
  • TOTP / HOTP Generator & ValidatorGenerate and check time-based (TOTP, RFC 6238) and counter-based (HOTP, RFC 4226) one-time passwords - the codes behind authenticator apps and hardware tokens such as FortiToken. SHA-1/256/512, configurable digits and step. Computed locally with Web Crypto; your secret never leaves your browser.

Networking

  • CIDR / Subnet CalculatorBreak down any IPv4 CIDR block into network and broadcast addresses, usable host range, host count, and netmask. Runs entirely in your browser.
  • dig output explainerPaste real dig output and get a decoded, explained breakdown: the header and flags, the EDNS OPT pseudo-section, every record in each section, and the query stats. Parsed entirely in your browser, nothing is resolved or sent anywhere.
  • IPv6 ToolkitParse an IPv6 address or prefix to see its canonical (RFC 5952) and fully expanded forms, special-use classification, prefix math, an EUI-64 MAC if present, and its ip6.arpa reverse-DNS name. Runs entirely in your browser.
  • nslookup output explainerPaste real nslookup output and get a decoded, explained breakdown: the resolver it used, whether the answer is authoritative, every record (with MX / SRV / SOA field breakdowns), and any failures. Parsed entirely in your browser, nothing is resolved or sent anywhere.
  • Syslog PRI decoder + encoderDecode a syslog PRI such as 134 into its facility and severity, or encode them back, all in your browser.

Security & WAF

  • CVSS vector decoderPaste a CVSS v3.1 or v3.0 vector and get the score computed and mapped to a severity, with every metric spelled out. Local and offline; nothing is sent anywhere.
  • Secure Headers AnalyzerPaste an HTTP response and get a graded breakdown of its security headers, cookie flags, and cross-origin policy, checked against OWASP, RFC 6797, CSP Level 3, and RFC 6265bis.
  • SSRF URL classifierPaste a URL and see where it actually points: loopback, a private or link-local range, a cloud metadata endpoint, CGNAT, reserved space, or the public internet. Decimal, octal, and hex IP obfuscation is decoded, dangerous schemes and embedded credentials are flagged, and an SSRF risk level is shown. It never resolves DNS and never sends the request.
  • XML DecoderPaste XML and read its structure: the declaration, the DOCTYPE and any entities, the element tree with namespaces and attributes, plus a security check of the XML attack surface. Nothing is fetched or resolved.

Text & utilities

  • Text DiffCompare two blocks of text and see exactly what changed, line by line, with inline word-level highlighting on edited lines. Optionally ignore whitespace or case. Everything is computed in your browser; your text is never sent anywhere.

TLS & transport

  • Cipher Suite DecoderEnter a TLS cipher suite, as an IANA name, an OpenSSL or GnuTLS name, or a hex code point, to break it into its key exchange, authentication, cipher, mode, and MAC, with a plain-language security read-out and the official IANA recommendation. Runs entirely in your browser against a bundled copy of the IANA registry.

Web & HTTP

  • HTTP request translatorPaste a curl command and get it explained flag by flag, then translated to fetch, a raw HTTP request, HTTPie, and Python requests. Local and offline; the command is decoded in your browser and nothing is sent or run.
  • Regex ToolkitTest, explain, and debug regular expressions with live matches and a backtracking-risk check.
  • URL InspectorDissect any URL into its named parts: scheme, host, port, path, query parameters, and fragment. Decodes percent-escapes and internationalized hosts, and flags credentials and other issues. Runs entirely in your browser.

Suggested usage

Common tasks, and the tools that get them done. Follow the tools in order for each task.

Inspect a token you received

Decode a JSON Web Token to read its claims, then decode any Base64 fields inside it.

  1. JWT Decoder & Verifier
  2. Base64, Base32, Hex & Percent Codec

Plan an IP subnet

Work out network ranges, masks, and host counts for IPv4, then do the same for IPv6.

  1. CIDR / Subnet Calculator
  2. IPv6 Toolkit

Work with a TLS certificate

Decode a certificate to see its fields, check a signing request, and plan the renewal date.

  1. X.509 Certificate Decoder
  2. CSR decoder
  3. Certificate renewal planner

Set up sign-in for an app

Understand an OpenID Connect flow, add PKCE for a public client, and add a one-time-password second factor.

  1. OIDC Decoder
  2. OAuth PKCE Verifier & Challenge
  3. TOTP / HOTP Generator & Validator

Read a DNS answer

Make sense of the output from dig, and from nslookup, line by line.

  1. dig output explainer
  2. nslookup output explainer

Verify data integrity

Compute a hash of some data, or an HMAC when a shared secret is involved.

  1. Hash Generator (SHA-1/256/384/512)
  2. HMAC Generator (SHA-256/384/512)

Manual

Running a tool

Open any tool, paste or type your input, and the result appears immediately. There is no sign-in and nothing to install. Most tools include an Example button that fills in sample input, and a Clear button that resets the fields. Below each tool you will find related Learn articles that explain the underlying concept.

Privacy and themes

Tools run entirely in your browser, so the data you enter is not transmitted anywhere by default. Your theme choice is remembered on your device only. Your language is carried in the page address rather than stored. The Privacy page explains exactly what is and is not kept.

The API

Each tool's logic is also documented as an API, with a machine-readable specification you can read on the API page. The API is documented for reference; whether requests are served depends on the site's current configuration, which the API page states plainly.

Languages

The interface is available in several languages; switch using the language control in the header. English and Brazilian Portuguese are authored directly. Where a phrase has not yet been translated for a given language, the English text is shown for that phrase so nothing is ever missing.

Offline use

The site is a progressive web app. Once you have visited it, your browser can keep it available, and because the tools compute locally they keep working without a connection. You can add the site to your home screen or desktop like an app.

Source and license

The project is open source. The code is licensed under Apache 2.0 and the written content under CC BY 4.0. You can read the source, report an issue, or suggest a tool from the repository, which is linked in the footer and on the License page.