About these tools
What each one does and when to reach for it
Base64
Encode plain text into Base64 (RFC 4648) or decode it back. Decode is the default
direction because it is by far the more common one in day-to-day work. You will
reach for Base64 decoding when you are inspecting a data: URL,
picking apart a JWT segment that arrived in your Authorization
header, reading a token someone pasted in Slack, or unpacking a secret that ended
up in an environment variable. Encoding is what you do when you need to embed
binary-safe text inside a URL or JSON field. Both directions handle Unicode
(UTF-8) correctly.
TOTP — One-Time Password Generator
Generate the same six-digit code an authenticator app would show, given a Base32-encoded shared secret. This is the standard implemented by Google Authenticator, Authy, 1Password, and most 2FA setups (RFC 6238 with HMAC-SHA1, 30-second windows). Useful when you are setting up 2FA on a server and want to verify the secret was stored correctly before finalizing the configuration, debugging an OTP-based automation, or recovering when an authenticator app is unavailable. The previous and next 30-second windows are also displayed in case the verifying server's clock has drifted slightly.
QR Code Generator
Render any text or URL as a QR code following ISO/IEC 18004. The most common
practical use here is converting an otpauth:// URI into a scannable
code so you can hand it to a phone-based authenticator, but it works for any
short text — Wi-Fi credentials, a contact card, a one-off URL. Pick error
correction level L / M / Q / H — higher levels survive smudges and folds but
produce denser codes. Download the result as a vector SVG (sharp at any size) or
a PNG.
URL Encoder / Decoder
Percent-encode and decode URL components per RFC 3986. Decode is the default
because the more common scenario is “I see this encoded URL in a log and
need to read it”. Two scopes are available: Component
treats your input as a single value and encodes everything that is not
alphanumeric — the strict mode for query parameter values; Full
URL preserves URL structure characters (:/?#[]) so a
complete URL stays clickable. Use Component when handling query string values or
path segments individually, Full URL when working with whole URLs.
JSON Formatter
Validate, pretty-print, or minify JSON (ECMA-404). On invalid input, the exact line and column of the syntax error are highlighted so you can jump straight to the broken character. The pretty-printer supports 2-space, 4-space, and tab indentation. Useful when you have just received an unformatted blob from an API, need to inspect a deeply nested response, or want to minify before embedding in a build artifact.
JWT Decoder
Decode and inspect JSON Web Tokens (RFC 7519). The token is split into its
three Base64-encoded parts (header, payload, signature) and the JSON content of
each is pretty-printed. The expiry status is shown if the payload includes
exp. Note that signature verification is not
performed — that requires the issuer's public key and is out of scope for a
quick-inspection tool. Useful when you are debugging auth flows, want to see what
claims your tokens carry, or need to confirm a token has not expired.
Hash
Compute cryptographic hashes (FIPS 180-4): SHA-1, SHA-256, SHA-384, and SHA-512.
Drop a file or paste text; the digest is computed locally using
crypto.subtle.digest — the browser's native Web Crypto
implementation. Useful for verifying a downloaded file matches its published
checksum, generating fingerprints for content-addressed storage, or quick
integrity checks before processing a payload further.
Hex
Convert between text and hex byte sequences. Decode is the default — paste hex (with or without separators between bytes) and read it back as text. Useful when reading hex dumps, debugging binary protocols, or working with low-level encoding where you have the raw bytes but not yet a readable form. The separator option lets you switch between space-separated, colon-separated, and continuous output when encoding.
HTML Entities
Encode and decode HTML entities. Decode is the default — paste markup littered
with <, &, ", etc.
and read the original characters. Encode mode produces HTML-safe output suitable
for embedding user-supplied text into a page. The reference grid below the input
shows common entities you can copy individually if you only need one or two.
Regex Tester
Test JavaScript-flavored regular expressions (ECMA-262). Type a pattern, toggle
flags (g global, i case-insensitive, m
multiline, s dot-all), and watch matches highlight in your test
text in real time. Capture groups are color-coded; the full match list and group
contents are shown below. Useful for prototyping a pattern before pasting it
into code, debugging why a regex is not matching what you expected, or learning
regex syntax interactively.
Diff
Compare two pieces of text and see the line-by-line differences with additions in green and deletions in red. Useful for spotting changes between two configurations, two API responses, two log excerpts — anything you need to compare side by side. The summary line shows totals so you know at a glance how many lines were added and removed.
Color
Paste a color as HEX, rgb(), or hsl() and see all four
standard CSS forms side by side — HEX, RGB, HSL, and the
perceptually-uniform OKLCH (CSS Color Module Level 4). The OKLCH form is shown
as output only and is handy when generating theme palettes or when you want a
color whose lightness reads consistently to the eye regardless of hue.
UUID Generator
Generate cryptographically random UUIDs (RFC 4122 v4) — the standard 128-bit
identifier used in databases, distributed systems, queue IDs, and APIs. Random
bytes come from crypto.getRandomValues. Below the generator, a
validator tells you whether a pasted UUID is well-formed and which RFC 4122
version it claims to be (v1 through v5).
Password Generator
Generate cryptographically random passwords aligned with NIST SP 800-63B
guidance. Pick a length and which character classes to include (lowercase,
uppercase, digits, symbols); a live entropy estimate updates as you adjust the
settings. The random source is crypto.getRandomValues, the same
cryptographically secure RNG modern browsers use for TLS-related operations.
Useful when you need a fresh strong password for an account or service and do
not want to fall back to whatever your password manager offers by default.
Unix Time
Convert Unix timestamps (POSIX.1 — seconds since 1970-01-01 UTC) into readable
dates and back. The live timestamp at the top is your device's current time
(Date.now()); no clock service is consulted. Pick a date in the
second column to see its timestamp, or paste a timestamp in the first column to
see the date in UTC, your local time, and a human-relative form
(“2 hours ago”). Useful when reading log files, debugging
time-related code, or just figuring out what 1714363200 actually
means.
How it all works
Every operation runs locally in your browser. Hashes, HMAC, random number generation, base encoding, regex matching, font rendering — all of it. The site loads no third-party scripts, no analytics, no advertising frames. The only network requests after the initial page load are for the static assets themselves (HTML, CSS, JS, fonts, icons), and only on first visit — afterwards a Service Worker serves them offline.
Nothing you paste, type, or drop is sent anywhere or stored anywhere outside
your browser tab. The only persistent state is a few user preferences (theme,
palette, animation toggle) saved to localStorage. See the
Privacy Policy for the full version.