DevKits
4 tools

Free Online Security & Crypto Tools

Cryptographic utilities that keep your secrets on your machine

Security tools have a paradox: the moment you paste a secret into an online utility, that secret has left your control. The tools in this category solve the paradox by running every cryptographic operation locally in your browser using the native Web Crypto API. Hashes, HMAC signatures, JWT decoding and signing, and password generation all execute on your device — the input and any keys or secrets never leave the browser tab. That means you can safely use these tools with real signing secrets, real webhook payloads, and real tokens.

All Security & Crypto Tools

When to use these tools

Use these tools to verify webhook signatures, hash a value for a fingerprint, generate a strong per-account password, decode a JWT to inspect its claims, or reproduce a signing step while debugging an integration.

Frequently Asked Questions

Is my secret or token sent to your server?

No. Every operation uses the browser's native Web Crypto API and runs on your device. Neither inputs nor keys leave your browser tab.

Can I use MD5 or SHA-1 for passwords?

No. MD5 and SHA-1 are broken as password hashes. Use a dedicated password-hashing function like bcrypt, scrypt, or Argon2 with a per-user salt. Fast hashes are only appropriate for fingerprints and non-secret integrity checks.

Which algorithm should I pick for HMAC?

SHA-256 (HS256) is the modern default and is what AWS SigV4, most webhook signatures, and JWT HS256 use. Choose SHA-384 or SHA-512 only when a specification requires a longer digest.

Explore other categories