File hash
Drop a file. Compute MD5, SHA-1, SHA-256, SHA-384, SHA-512, CRC32 in parallel. MD5/CRC32 stream in 4 MB chunks; SHA digests buffer in memory (best for files up to a few hundred MB).
Drop a file or browse
Stays in your browser. Never uploaded.
Text hash
Paste any text. Hashes update as you type.
HMAC
Keyed-hash message authentication code. Web Crypto, hex output.
Hash compare
Paste two hashes. Whitespace and case ignored.
Base64
Encode text or file to Base64 / Base64-URL. Decode back to text or downloadable file.
Drop file to encode or browse
Outputs Base64 string + optional data: URL
URL · Query
Encode / decode + parse query strings into a readable table.
JWT · decode + sign
Decode header + payload, verify HS* signatures, and sign new tokens (HS256/384/512). Web Crypto HMAC — no upload.
Encrypt — AES-256-GCM
Password-based authenticated encryption. PBKDF2-SHA-256 600 000 iterations → AES-256-GCM. Output is a self-describing CTRYPT01 blob containing salt, IV, and iteration count — decrypt only needs the password.
Drop file to encrypt or browse
Downloads filename.ctrypt binary blob
Decrypt — AES-256-GCM
Decrypt any CTRYPT01 blob produced by the Encrypt tool. Wrong password fails fast (GCM tag verifies authenticity).
Drop .ctrypt file or browse
Original filename is preserved in the blob header
Key pair — RSA / ECDSA
Generate cryptographic key pairs in-browser via Web Crypto. PEM-encoded output, downloadable. Keys never leave your browser.
Argon2id — password hashing
OWASP / RFC 9106 recommended password-hash. Runs in WebAssembly. Tune memory, iterations, parallelism — defaults match OWASP 2023+ (m=19 MiB, t=2, p=1).
Bcrypt — password hashing
Classic password hash, still widely deployed (Node bcryptjs, Python bcrypt, PHP password_hash, Go x/crypto/bcrypt). PHC format $2b$rounds$salt+hash — cross-compatible with all listed.
Scrypt — memory-hard KDF
RFC 7914. Used by Litecoin, Tarsnap, Filebase. Memory-hard like Argon2 but older spec — still widely supported. Defaults match scrypt paper: N=2^15 (32 MiB), r=8, p=1.
PBKDF2 — Password-Based Key Derivation 2
RFC 8018. OWASP 2023+ minimums: 600 000 iter SHA-256 / 210 000 SHA-512 / 1 300 000 SHA-1. Legacy but still standard (Bitwarden, 1Password, BitLocker historically).
Salt generator
CSPRNG salts in every format needed: raw bytes, bcrypt/scrypt/Argon2 PHC, base64, base64url, hex, Base64-no-padding. Crypto-strong via crypto.getRandomValues.
AES-KW · Key wrapping (RFC 3394)
Wrap a symmetric key with another symmetric key (kek). NIST SP 800-38F. Used by JWE A128KW/A192KW/A256KW. Output is 8 bytes longer than input (auth tag).
Shamir Secret Sharing (k-of-n)
Split a secret into N shares; any K reconstruct it. Used by HashiCorp Vault unseal, GnuPG threshold signing, social recovery wallets. Pure GF(256) math — perfect secrecy with < K shares.
HKDF — key derivation (RFC 5869)
Derive cryptographic subkeys from any input key material. SHA-256/384/512. Standard for key expansion (TLS, Noise, Signal, age, etc.).
Sign · Verify — Ed25519 / RSA-PSS
Generate keypair → sign message → verify signature. Ed25519 (RFC 8032) — modern, fast, 64-byte signatures. RSA-PSS — wider compatibility.
TOTP · 2FA — RFC 6238
Time-based One-Time Password — what Google Authenticator / Authy / 1Password TOTP feature use. Generate secret + otpauth URL + QR; verify live codes.
Prompt Vault
Encrypt + version + tag LLM system prompts / tool definitions / templates. AES-256-GCM with PBKDF2 600 000 iter from master password. Vault stays in localStorage — nothing leaves the browser. Export to JSON for team share.
PASETO v4.public — Platform-Agnostic Security Tokens
Modern JWT alternative — purpose-built, no algorithm confusion (RFC 9111 / paseto.io). v4.public uses Ed25519 signatures. Each version+purpose is one fixed primitive — impossible to misuse.
Multi-recipient encrypt (age-style)
Generate fresh AES-256 data-encryption-key (DEK). Wrap DEK with each recipient's RSA-OAEP public key. Output JSON bundle — any single recipient can decrypt with their private key. Pattern: age / GPG multi-recipient / Signal sender keys.
RAG vector encryption
Encrypt embedding arrays + metadata for client-side-encrypted RAG (vector store stays oblivious). Per-chunk AES-256-GCM keyed via HKDF from master key + chunk-id. Float32 packed for size.
Post-Quantum Crypto — ML-KEM-768 + ML-DSA-65
NIST PQC standards FIPS 203 (ML-KEM, key encapsulation, ex-Kyber) + FIPS 204 (ML-DSA, signatures, ex-Dilithium) — finalized 2024. Quantum-resistant. Implementation: @noble/post-quantum via dynamic ESM import.
Token generator
Cryptographically random tokens via crypto.getRandomValues. Bulk up to 100.
UUID
v4 (random) and v7 (time-ordered, sortable). Bulk up to 100.
Password
Generate strong passwords, analyse any password's strength, or build BIP-39 passphrases — one toolkit.
Passphrase — BIP-39 wordlist
Diceware-style memorable passphrases from the 2048-word BIP-39 list (11 bits / word). 6 words ≈ 66 bits, 12 words ≈ 132 bits (Bitcoin standard).
QR code
Generate from any text or URL. Download PNG or SVG. Error-correction H by default (works with logos / damage).
Markdown scanner
Scan Markdown / HTML for malicious payloads and prompt-injection vectors before rendering, indexing, or feeding to an LLM. 20+ rules across XSS, hidden chars, IDN homoglyphs, URL shorteners, prompt injection, base64 exfil blobs.
Drop .md file or browse · or paste below
Random
Numbers, bytes, picks, shuffles. All from crypto.getRandomValues.
JSON → TS / Zod / JSON Schema
Paste a JSON sample → get a typed schema. Optionally treat numeric-keyed arrays as tuples, mark every field optional, or merge structurally-equivalent items.
Recipe pipeline
Chain operations on a single input. Each step transforms the previous step's output. Drag a step to reorder, click ✕ to remove. Output updates live.
Cron builder
5-field crontab — minute · hour · day-of-month · month · day-of-week. Live human description + next 5 fire times (UTC). 8 presets.
Network
IPv4 subnet calculator · IPv4 base converter · IPv6 expand/compress · MAC generator. All in-browser, instant.
CSP · Security headers
Paste a Content-Security-Policy or a raw response-header block. Parsed, graded, and audited for the usual footguns — entirely in-browser.
X.509 · SSH keys
Decode a PEM certificate (subject, SAN, validity, fingerprints) or generate an Ed25519 SSH keypair in OpenSSH format. Nothing leaves the browser.
DNS · Email auth
SPF, DMARC, DKIM, MX and CAA for any domain — queried over DNS-over-HTTPS (Google with Cloudflare fail-over), audited client-side.
Regex tester
Live matching with highlighted results, group capture, and replace preview. JavaScript regex engine, in-browser.
Data convert
Lossless conversion between JSON, YAML, TOML, and XML. Auto-detects source format, pretty prints, swaps with one click. All in-browser.
Timestamp · date
Convert between Unix epoch (seconds / milliseconds), ISO-8601, UTC and local time. The input format is auto-detected; nothing leaves your browser.
Number base
Convert an integer across binary, octal, decimal, hexadecimal and any radix 2–36. BigInt-backed, so 64-bit values and bitmasks keep full precision (no 253 rounding).
Case convert
Re-case identifiers and text across every common convention. Word boundaries are detected from case changes, separators and digit transitions (acronym-aware: parseHTTPResponse → parse_http_response).
Text · JSON diff
Line-by-line diff of two texts, fully in your browser (never paste a config into a random web differ). JSON mode normalizes key order + formatting first, so only real value changes show. The constant-time Hash compare stays separate for secrets.