Tools
Tools that compute, never guess.
Small, fast, privacy-first utilities that run entirely in your browser. Nothing you type is sent anywhere.
Certificates & PKI
ACME dns-01 TXT computer
Compute the TXT record for an ACME dns-01 challenge, from the token and account key.
Certificates & PKICertificate renewal planner
Work out a TLS certificate's validity, whether it fits the CA/Browser Forum 47-day schedule, and the renewal cadence it implies — all offline.
Certificates & PKICSR decoder
Decode a PKCS#10 certificate signing request to read its subject, public key, requested SANs and extensions, and attributes — entirely in your browser.
Certificates & PKILet's Encrypt rate-limit planner
Plan certificate issuance for a set of hostnames: group them by registered domain and see how they map onto Let's Encrypt's rate limits.
Certificates & PKIX.509 Certificate Decoder
Paste a PEM, base64, or hex certificate to read its subject, issuer, validity window, public key, and v3 extensions, with SHA-256 and SHA-1 fingerprints. Runs entirely in your browser.
Certificates & PKI
Encoding & data
Base64, Base32, Hex & Percent Codec
Encode text to Base64, URL-safe Base64, Base32, hexadecimal, or percent-encoding, and decode any of them back. Tolerant of missing padding and whitespace, and it flags binary (non-UTF-8) results. Runs entirely in your browser.
Encoding & dataJSON ↔ YAML Converter
Convert JSON to block-style YAML or YAML back to JSON, entirely in your browser. Parse errors point to the exact line and column, and conversion notes flag the lossy edges like dropped comments and expanded anchors.
Encoding & dataJSON Formatter & Validator
Validate, pretty-print, minify, and sort JSON. Parse errors point to the exact line, column, and path; duplicate keys are flagged; and large numbers are preserved exactly. Runs entirely in your browser.
Encoding & dataUnix time converter
Type a Unix timestamp — seconds, milliseconds, microseconds, or nanoseconds, detected automatically — or an ISO-8601 date, and read it back in every common format. All in your browser.
Encoding & data
Hashing & crypto
Hash Generator (SHA-1/256/384/512)
Compute SHA-1, SHA-256, SHA-384, and SHA-512 digests of any text, shown as hex and Base64, using the browser's native Web Crypto. Runs entirely in your browser.
Hashing & cryptoHash Preimage Finder
Watch a bounded, local brute-force search recover a weak hash input in seconds, or run out of keyspace on anything with real entropy. No wordlist, no table, just your browser. A demonstration of why fast, unsalted hashes fail.
Hashing & cryptoHMAC Generator (SHA-256/384/512)
Compute a keyed HMAC over a message with your secret key, shown as hex and Base64, via the browser's native Web Crypto. The same construction the JWT verifier uses for HS256. Your key never leaves your browser.
Hashing & crypto
Identity & tokens
JWKS explainer + key matcher
Paste a JSON Web Key Set to break down every key, flag any private material, and match a JWT to its key by kid. Nothing leaves your browser.
Identity & tokensJWT Decoder & Verifier
Decode a JSON Web Token's header and claims, read its expiry and timing in plain language, and verify an HS256/384/512 signature with a pasted secret. Runs entirely in your browser.
Identity & tokensOAuth PKCE Verifier & Challenge
Generate an OAuth 2.0 code_verifier and derive its S256 code_challenge, or paste your own and check it against RFC 7636's length and charset rules. The same SHA-256 base64url derivation your authorization server expects. Runs entirely in your browser.
Identity & tokensOIDC Decoder
Paste an OpenID Connect ID token or a .well-known/openid-configuration document and decode it: the core claims, profile claims, endpoints, and capabilities, with checks for required claims, signing algorithm, nonce, and PKCE.
Identity & tokensSAML Decoder
Paste a SAML Response or assertion (raw, base64, or URL-encoded) and decode its issuer, status, subject, conditions, audience, and attributes, with signature and weak-algorithm checks. Hardened against XXE.
Identity & tokensTOTP / HOTP Generator & Validator
Generate and check time-based (TOTP, RFC 6238) and counter-based (HOTP, RFC 4226) one-time passwords - the codes behind authenticator apps and hardware tokens such as FortiToken. SHA-1/256/512, configurable digits and step. Computed locally with Web Crypto; your secret never leaves your browser.
Identity & tokens
Networking
CIDR / Subnet Calculator
Break down any IPv4 CIDR block into network and broadcast addresses, usable host range, host count, and netmask. Runs entirely in your browser.
Networkingdig output explainer
Paste real dig output and get a decoded, explained breakdown: the header and flags, the EDNS OPT pseudo-section, every record in each section, and the query stats. Parsed entirely in your browser, nothing is resolved or sent anywhere.
NetworkingIPv6 Toolkit
Parse an IPv6 address or prefix to see its canonical (RFC 5952) and fully expanded forms, special-use classification, prefix math, an EUI-64 MAC if present, and its ip6.arpa reverse-DNS name. Runs entirely in your browser.
Networkingnslookup output explainer
Paste real nslookup output and get a decoded, explained breakdown: the resolver it used, whether the answer is authoritative, every record (with MX / SRV / SOA field breakdowns), and any failures. Parsed entirely in your browser, nothing is resolved or sent anywhere.
NetworkingRegistered domain (eTLD+1)
Find the public suffix (eTLD) and registered domain (eTLD+1) for any hostname, using the Public Suffix List.
NetworkingSyslog PRI decoder + encoder
Decode a syslog PRI such as 134 into its facility and severity, or encode them back, all in your browser.
Networking
Security & WAF
CVSS vector decoder
Paste a CVSS v3.1 or v3.0 vector and get the score computed and mapped to a severity, with every metric spelled out. Local and offline; nothing is sent anywhere.
Security & WAFSecure Headers Analyzer
Paste an HTTP response and get a graded breakdown of its security headers, cookie flags, and cross-origin policy, checked against OWASP, RFC 6797, CSP Level 3, and RFC 6265bis.
Security & WAFSSRF URL classifier
Paste a URL and see where it actually points: loopback, a private or link-local range, a cloud metadata endpoint, CGNAT, reserved space, or the public internet. Decimal, octal, and hex IP obfuscation is decoded, dangerous schemes and embedded credentials are flagged, and an SSRF risk level is shown. It never resolves DNS and never sends the request.
Security & WAFXML Decoder
Paste XML and read its structure: the declaration, the DOCTYPE and any entities, the element tree with namespaces and attributes, plus a security check of the XML attack surface. Nothing is fetched or resolved.
Security & WAF
Web & HTTP
HTTP request translator
Paste a curl command and get it explained flag by flag, then translated to fetch, a raw HTTP request, HTTPie, and Python requests. Local and offline; the command is decoded in your browser and nothing is sent or run.
Web & HTTPRegex Toolkit
Test, explain, and debug regular expressions with live matches and a backtracking-risk check.
Web & HTTPURL Inspector
Dissect any URL into its named parts: scheme, host, port, path, query parameters, and fragment. Decodes percent-escapes and internationalized hosts, and flags credentials and other issues. Runs entirely in your browser.
Web & HTTP
This toolbox is growing. New tools are added here as they ship, each one local-first and free to use.