Free Online Security & Crypto Tools
Cryptographic utilities that keep your secrets on your machine
Security tools have a paradox: the moment you paste a secret into an online utility, that secret has left your control. The tools in this category solve the paradox by running every cryptographic operation locally in your browser using the native Web Crypto API. Hashes, HMAC signatures, JWT decoding and signing, and password generation all execute on your device — the input and any keys or secrets never leave the browser tab. That means you can safely use these tools with real signing secrets, real webhook payloads, and real tokens.
All Security & Crypto Tools
JWT Decoder
Decode JSON Web Tokens (JWT) to inspect the header, payload, and signature. Runs entirely in your browser — tokens are never sent to any server.
Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes of any text online. All hashing happens in your browser using the Web Crypto API.
JWT Generator
Create signed JSON Web Tokens with HMAC-SHA algorithms. Set custom claims, expiration, and secret — everything runs locally in your browser.
HMAC Generator
Compute HMAC signatures with SHA-1, SHA-256, SHA-384, or SHA-512. Used to verify API requests, sign webhooks, and authenticate messages.
When to use these tools
Use these tools to verify webhook signatures, hash a value for a fingerprint, generate a strong per-account password, decode a JWT to inspect its claims, or reproduce a signing step while debugging an integration.
Frequently Asked Questions
Is my secret or token sent to your server?
No. Every operation uses the browser's native Web Crypto API and runs on your device. Neither inputs nor keys leave your browser tab.
Can I use MD5 or SHA-1 for passwords?
No. MD5 and SHA-1 are broken as password hashes. Use a dedicated password-hashing function like bcrypt, scrypt, or Argon2 with a per-user salt. Fast hashes are only appropriate for fingerprints and non-secret integrity checks.
Which algorithm should I pick for HMAC?
SHA-256 (HS256) is the modern default and is what AWS SigV4, most webhook signatures, and JWT HS256 use. Choose SHA-384 or SHA-512 only when a specification requires a longer digest.