About these tools

What each one does and when to reach for it

Base64

Encode plain text into Base64 (RFC 4648) or decode it back. Decode is the default direction because it is by far the more common one in day-to-day work. You will reach for Base64 decoding when you are inspecting a data: URL, picking apart a JWT segment that arrived in your Authorization header, reading a token someone pasted in Slack, or unpacking a secret that ended up in an environment variable. Encoding is what you do when you need to embed binary-safe text inside a URL or JSON field. Both directions handle Unicode (UTF-8) correctly.

TOTP & HOTP — One-Time Password Generator

Open the dedicated TOTP / HOTP page →

Generate the same code an authenticator app would show, given a Base32-encoded shared secret. This implements both RFC 6238 (TOTP, time-based) and RFC 4226 (HOTP, counter-based), and exposes the full set of options that real-world 2FA deployments care about: HMAC-SHA1 / SHA-256 / SHA-512, 6 / 7 / 8 digits, 30 / 60 second windows, and an explicit HOTP counter. Compatible with Google Authenticator, 1Password, Authy, FreeOTP, and any other RFC-compliant client.

Paste an otpauth:// URI and every option auto-fills from the URI parameters — useful when you receive one over a side-channel and want to inspect it before importing. Going the other direction, the Show as QR action hands the current configuration to the QR tab so you can scan it straight into your phone's authenticator. The previous and next windows are kept on screen in case the verifying server's clock has drifted.

QR Code Generator

Open the dedicated QR page →

Render any text or URL as a QR code following ISO/IEC 18004. The most common practical use here is converting an otpauth:// URI into a scannable code so you can hand it to a phone-based authenticator, but it works for any short text — Wi-Fi credentials, a contact card, a one-off URL. Pick error correction level L / M / Q / H — higher levels survive smudges and folds but produce denser codes. Download the result as a vector SVG (sharp at any size) or a PNG.

URL Encoder / Decoder

Percent-encode and decode URL components per RFC 3986. Decode is the default because the more common scenario is “I see this encoded URL in a log and need to read it”. Two scopes are available: Component treats your input as a single value and encodes everything that is not alphanumeric — the strict mode for query parameter values; Full URL preserves URL structure characters (:/?#[]) so a complete URL stays clickable. Use Component when handling query string values or path segments individually, Full URL when working with whole URLs.

JSON Formatter

Validate, pretty-print, or minify JSON (ECMA-404). On invalid input, the exact line and column of the syntax error are highlighted so you can jump straight to the broken character. The pretty-printer supports 2-space, 4-space, and tab indentation. Useful when you have just received an unformatted blob from an API, need to inspect a deeply nested response, or want to minify before embedding in a build artifact.

JWT Decoder & Verifier

Open the dedicated JWT page →

Decode and inspect JSON Web Tokens (RFC 7519). The token is split into its three Base64-encoded parts (header, payload, signature) and the JSON content of each is pretty-printed. The standard time claims — iat, nbf, exp — are surfaced as human-readable timestamps with a live countdown when the token is active.

Paste a key in the Verify signature box and the cryptographic check runs locally via the browser's Web Crypto API. Supported families: HS256/HS384/HS512 with a shared secret; RS256/RS384/RS512 and PS256/PS384/PS512 with an RSA public key in PEM SPKI format; ES256/ES384/ES512 with an EC public key on P-256 / P-384 / P-521. The secret or key is held only in memory for the running verification — it is never sent to a server, written to storage, or logged.

Hash

Compute cryptographic hashes (FIPS 180-4): SHA-1, SHA-256, SHA-384, and SHA-512. Drop a file or paste text; the digest is computed locally using crypto.subtle.digest — the browser's native Web Crypto implementation. Useful for verifying a downloaded file matches its published checksum, generating fingerprints for content-addressed storage, or quick integrity checks before processing a payload further.

Hex

Convert between text and hex byte sequences. Decode is the default — paste hex (with or without separators between bytes) and read it back as text. Useful when reading hex dumps, debugging binary protocols, or working with low-level encoding where you have the raw bytes but not yet a readable form. The separator option lets you switch between space-separated, colon-separated, and continuous output when encoding.

HTML Entities

Encode and decode HTML entities. Decode is the default — paste markup littered with <, &, ", etc. and read the original characters. Encode mode produces HTML-safe output suitable for embedding user-supplied text into a page. The reference grid below the input shows common entities you can copy individually if you only need one or two.

Regex Tester

Test JavaScript-flavored regular expressions (ECMA-262). Type a pattern, toggle flags (g global, i case-insensitive, m multiline, s dot-all), and watch matches highlight in your test text in real time. Capture groups are color-coded; the full match list and group contents are shown below. Useful for prototyping a pattern before pasting it into code, debugging why a regex is not matching what you expected, or learning regex syntax interactively.

Diff

Compare two pieces of text and see the line-by-line differences with additions in green and deletions in red. Useful for spotting changes between two configurations, two API responses, two log excerpts — anything you need to compare side by side. The summary line shows totals so you know at a glance how many lines were added and removed.

Color

Paste a color as HEX, rgb(), or hsl() and see all four standard CSS forms side by side — HEX, RGB, HSL, and the perceptually-uniform OKLCH (CSS Color Module Level 4). The OKLCH form is shown as output only and is handy when generating theme palettes or when you want a color whose lightness reads consistently to the eye regardless of hue.

UUID Generator

Generate cryptographically random UUIDs (RFC 4122 v4) — the standard 128-bit identifier used in databases, distributed systems, queue IDs, and APIs. Random bytes come from crypto.getRandomValues. Below the generator, a validator tells you whether a pasted UUID is well-formed and which RFC 4122 version it claims to be (v1 through v5).

Password Generator

Generate cryptographically random passwords aligned with NIST SP 800-63B guidance. Pick a length and which character classes to include (lowercase, uppercase, digits, symbols); a live entropy estimate updates as you adjust the settings. The random source is crypto.getRandomValues, the same cryptographically secure RNG modern browsers use for TLS-related operations. Useful when you need a fresh strong password for an account or service and do not want to fall back to whatever your password manager offers by default.

Random Number Generator

Open the dedicated Random page →

Pull cryptographically random integers or decimals out of the browser's crypto.getRandomValues. The page draws uniform values via rejection sampling so there's no modulo bias — Math.random() is fast but deterministic and ever so slightly non-uniform when scaled to an arbitrary range. Configurable: range (positive, negative, or mixed), how many to draw at once (up to 10,000), integer vs. decimal mode (with 0–15 digits of precision), unique-only mode (uses a partial Fisher–Yates shuffle for fairness), sort order, and the output separator (newline, comma, space, JSON array, CSV row). Quick presets are wired up for dice rolls, lottery picks, percentages, random bytes, and decimal 0–1.

Coin Flip

Open the dedicated Coin page →

A real coin flip with a real 3D animation. The outcome is decided by one bit drawn from crypto.getRandomValues before the coin starts spinning, so the toss is purely cosmetic and the result is provably 50 / 50. Customize the side labels (use Yes / No, Stay / Go, anything binary), pick a per-flip batch size from 1 up to 1000, choose an animation speed from Slow to Instant, and watch the heads/tails percentages converge as you flip. The session log shows your full history with longest-run tracking — useful for confirming with your own eyes that runs of ten or more same-side flips really do happen at the expected rate.

Unix Time

Convert Unix timestamps (POSIX.1 — seconds since 1970-01-01 UTC) into readable dates and back. The live timestamp at the top is your device's current time (Date.now()); no clock service is consulted. Pick a date in the second column to see its timestamp, or paste a timestamp in the first column to see the date in UTC, your local time, and a human-relative form (“2 hours ago”). Useful when reading log files, debugging time-related code, or just figuring out what 1714363200 actually means.

Save & sync settings

Export your settings as a single link, then import them on another device — or into another account. It doubles as a quick backup. The link captures everything this site remembers: the color theme (light / dark / auto mode, palette, and motion setting), the interface language, your tab arrangement, your Temporary File Share history, and the Clipboard tab's saved snippets. Those last two are real content rather than just preferences, so treat the link like any other shareable upload; nothing you decode or generate in the other tools is included.

On the main tools page, open the theme panel and choose Generate sync link. Your preferences are packaged into a small JSON file, uploaded through the same Temporary File Share used elsewhere on the site, and turned into a link that stays valid up to 3 hours. Click the link to copy it.

On the other device, paste the link under Restore from link and choose Apply & reload. The imported preferences overwrite whatever is currently set, the page reloads, and it switches to the saved language if needed. Importing and exporting both work whether or not you are signed in — so the same link is an easy way to carry your setup to a new device, or to copy one account's configuration into another.

Status lights

The two small rectangles that form a square next to the Tools wordmark at the top of the main page are status indicators. They are decorative — every tool keeps working whatever they show — but they offer a quick read on the site’s health.

The left bar breathes in the accent colour at a tempo set by your browser’s round-trip latency to our edge: a slower breath means a healthy connection, a faster one a congested path. The measurement is a same-origin HEAD request to /robots.txt — no third party is contacted and nothing is logged. If your device goes offline the bar dims to grey and freezes, then lights back up the moment connectivity returns.

The right bar reflects the storage state of the Temporary File Share’s 9 GiB ceiling, polled from a small /api/status endpoint every couple of minutes. It shifts colour as the bucket fills: blue when more than 80% of the ceiling is still free, green between 40% and 80% free, yellow between 20% and 40% free, and orange below 20% free. Red means uploads are paused, either because the bucket is completely full or because your IP has been temporarily blocked for abuse. The right bar stays lit when blue or green, hops when yellow or orange, and stays lit when red.

Both bars freeze (lit, not dark) if your operating system reports Reduce motion — unless you explicitly turn Motion on in the theme panel, which overrides the system preference.

How it all works

Every operation runs locally in your browser. Hashes, HMAC, random number generation, base encoding, regex matching, font rendering — all of it. The site loads no third-party scripts, no analytics, no advertising frames. The only network requests after the initial page load are for the static assets themselves (HTML, CSS, JS, fonts, icons), and only on first visit — afterwards a Service Worker serves them offline.

With five opt-in exceptions — the Temporary File Share, the Currency converter, the Wallet / ENS lookup, the Gas tracker, and the Stock quote — nothing you paste, type, or drop leaves your browser. Those five reach only our own origin, never a third party in your browser; our server may then read public market, rate, or blockchain data (and, for the file share and wallet, the file or address you provide) on your behalf. The only persistent state is a few user preferences (theme, palette, animation toggle) saved to localStorage. See the Privacy Policy for the full version.

Open-source notices

Smooth-corner rendering uses Lisse (@lisse/core), licensed under the MIT License: Copyright (c) 2026 Jace Attard.

MIT License

Copyright (c) 2026 Jace Attard

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Contact

Questions, bug reports, or suggestions for tools you would like to see added? Reach out at [email protected].