tools / encode
Encoding tools.
Base64, URL encoding, JWT inspection, SHA hashes. All native, all local — no WASM blob, no third-party libraries, no server. Even your JWT secrets stay in the browser.
Encode or decode text (UTF-8) or a file. Optional URL-safe variant strips padding and replaces +/ with -_.
Or to encode its bytes.
FAQ
- Is the JWT decoder safe to paste production tokens into?
- Yes. The decoder runs in your browser — there is no network request. You can verify by opening the network tab and pasting a token. That said: rotating a token you've shared anywhere (including a debugger) is always good hygiene. The decoder does NOT verify the signature, so it can't tell you if a token is valid, only what it claims.
- Why is MD5 missing?
- MD5 isn't part of WebCrypto's SubtleCrypto API because it's been cryptographically broken for over a decade. Adding it back via a JS polyfill would just legitimize that brokenness. If you need an MD5 for a non-security purpose (e.g. matching an existing checksum), use a CLI tool — the system has md5sum, openssl, certutil, etc.
- What does URL-safe Base64 mean?
- Standard Base64 uses + and / which have special meaning in URLs (and = padding can trip up some parsers). URL-safe Base64 swaps + → -, / → _, and drops trailing =. It's what JWTs use. The decoder accepts either variant.
- Are large files handled efficiently?
- Hashing reads the file into memory and hands the bytes to SubtleCrypto, which is hardware-accelerated. Base64 of a large binary file does a JS-side string build — fine up to a few hundred MB, slower beyond. For multi-GB files, use a CLI tool.