File hash

Drop a file. Compute MD5, SHA-1, SHA-256, SHA-384, SHA-512, CRC32 in parallel. MD5/CRC32 stream in 4 MB chunks; SHA digests buffer in memory (best for files up to a few hundred MB).

Drop a file or browse

Stays in your browser. Never uploaded.

Text hash

Paste any text. Hashes update as you type.

0 B · 0 chars

HMAC

Keyed-hash message authentication code. Web Crypto, hex output.

Hash compare

Paste two hashes. Whitespace and case ignored.

Enter two hashes…

Base64

Encode text or file to Base64 / Base64-URL. Decode back to text or downloadable file.


      

URL · Query

Encode / decode + parse query strings into a readable table.


      
    

JWT · decode + sign

Decode header + payload, verify HS* signatures, and sign new tokens (HS256/384/512). Web Crypto HMAC — no upload.


        

        

RS* / ES* / EdDSA verification not supported in-browser — paste only HMAC tokens (HS256 / HS384 / HS512).

Sign — build a new JWT

        

Encrypt — AES-256-GCM

Password-based authenticated encryption. PBKDF2-SHA-256 600 000 iterations → AES-256-GCM. Output is a self-describing CTRYPT01 blob containing salt, IV, and iteration count — decrypt only needs the password.


      

Decrypt — AES-256-GCM

Decrypt any CTRYPT01 blob produced by the Encrypt tool. Wrong password fails fast (GCM tag verifies authenticity).


      

Key pair — RSA / ECDSA

Generate cryptographic key pairs in-browser via Web Crypto. PEM-encoded output, downloadable. Keys never leave your browser.


      

Argon2id — password hashing

OWASP / RFC 9106 recommended password-hash. Runs in WebAssembly. Tune memory, iterations, parallelism — defaults match OWASP 2023+ (m=19 MiB, t=2, p=1).


      
      
      

Bcrypt — password hashing

Classic password hash, still widely deployed (Node bcryptjs, Python bcrypt, PHP password_hash, Go x/crypto/bcrypt). PHC format $2b$rounds$salt+hash — cross-compatible with all listed.

2^N iterations. OWASP min 12. Each +1 doubles time.

      
→ Apache/nginx .htpasswd line ($2y$)

      
      
      

Scrypt — memory-hard KDF

RFC 7914. Used by Litecoin, Tarsnap, Filebase. Memory-hard like Argon2 but older spec — still widely supported. Defaults match scrypt paper: N=2^15 (32 MiB), r=8, p=1.


      
      

    

PBKDF2 — Password-Based Key Derivation 2

RFC 8018. OWASP 2023+ minimums: 600 000 iter SHA-256 / 210 000 SHA-512 / 1 300 000 SHA-1. Legacy but still standard (Bitwarden, 1Password, BitLocker historically).


      
      

    

Salt generator

CSPRNG salts in every format needed: raw bytes, bcrypt/scrypt/Argon2 PHC, base64, base64url, hex, Base64-no-padding. Crypto-strong via crypto.getRandomValues.

AES-KW · Key wrapping (RFC 3394)

Wrap a symmetric key with another symmetric key (kek). NIST SP 800-38F. Used by JWE A128KW/A192KW/A256KW. Output is 8 bytes longer than input (auth tag).



      
      
      

    

Shamir Secret Sharing (k-of-n)

Split a secret into N shares; any K reconstruct it. Used by HashiCorp Vault unseal, GnuPG threshold signing, social recovery wallets. Pure GF(256) math — perfect secrecy with < K shares.



      
      
      

      
    

HKDF — key derivation (RFC 5869)

Derive cryptographic subkeys from any input key material. SHA-256/384/512. Standard for key expansion (TLS, Noise, Signal, age, etc.).


    

Sign · Verify — Ed25519 / RSA-PSS

Generate keypair → sign message → verify signature. Ed25519 (RFC 8032) — modern, fast, 64-byte signatures. RSA-PSS — wider compatibility.


      


      
      
      
      

TOTP · 2FA — RFC 6238

Time-based One-Time Password — what Google Authenticator / Authy / 1Password TOTP feature use. Generate secret + otpauth URL + QR; verify live codes.


      
      


      
— — — — — —

Prompt Vault

Encrypt + version + tag LLM system prompts / tool definitions / templates. AES-256-GCM with PBKDF2 600 000 iter from master password. Vault stays in localStorage — nothing leaves the browser. Export to JSON for team share.

No vault detected — entering a password creates one.

PASETO v4.public — Platform-Agnostic Security Tokens

Modern JWT alternative — purpose-built, no algorithm confusion (RFC 9111 / paseto.io). v4.public uses Ed25519 signatures. Each version+purpose is one fixed primitive — impossible to misuse.


        
        
        

      

Multi-recipient encrypt (age-style)

Generate fresh AES-256 data-encryption-key (DEK). Wrap DEK with each recipient's RSA-OAEP public key. Output JSON bundle — any single recipient can decrypt with their private key. Pattern: age / GPG multi-recipient / Signal sender keys.

0 recipients


      
      
      
      
      

    

RAG vector encryption

Encrypt embedding arrays + metadata for client-side-encrypted RAG (vector store stays oblivious). Per-chunk AES-256-GCM keyed via HKDF from master key + chunk-id. Float32 packed for size.


    

Post-Quantum Crypto — ML-KEM-768 + ML-DSA-65

NIST PQC standards FIPS 203 (ML-KEM, key encapsulation, ex-Kyber) + FIPS 204 (ML-DSA, signatures, ex-Dilithium) — finalized 2024. Quantum-resistant. Implementation: @noble/post-quantum via dynamic ESM import.

Loading library…

      
      
      

        
        


        
        
        

      

Token generator

Cryptographically random tokens via crypto.getRandomValues. Bulk up to 100.


    

UUID

v4 (random) and v7 (time-ordered, sortable). Bulk up to 100.


    

Password

Generate strong passwords, analyse any password's strength, or build BIP-39 passphrases — one toolkit.


      
Input
Score
Crack time
Findings

Passphrase — BIP-39 wordlist

Diceware-style memorable passphrases from the 2048-word BIP-39 list (11 bits / word). 6 words ≈ 66 bits, 12 words ≈ 132 bits (Bitcoin standard).


    

QR code

Generate from any text or URL. Download PNG or SVG. Error-correction H by default (works with logos / damage).

Markdown scanner

Scan Markdown / HTML for malicious payloads and prompt-injection vectors before rendering, indexing, or feeding to an LLM. 20+ rules across XSS, hidden chars, IDN homoglyphs, URL shorteners, prompt injection, base64 exfil blobs.

Drop .md file or browse · or paste below

Random

Numbers, bytes, picks, shuffles. All from crypto.getRandomValues.

Numbers

      
Bytes

      
Pick / shuffle

      

JSON → TS / Zod / JSON Schema

Paste a JSON sample → get a typed schema. Optionally treat numeric-keyed arrays as tuples, mark every field optional, or merge structurally-equivalent items.

Input
Output

        

Recipe pipeline

Chain operations on a single input. Each step transforms the previous step's output. Drag a step to reorder, click ✕ to remove. Output updates live.

Input
Recipe (steps)
    Output
    
            
    Intermediate steps
    
            

    Cron builder

    5-field crontab — minute · hour · day-of-month · month · day-of-week. Live human description + next 5 fire times (UTC). 8 presets.

    Expression
    Human description

    Next 5 fire times (UTC)
    
          

    Network

    IPv4 subnet calculator · IPv4 base converter · IPv6 expand/compress · MAC generator. All in-browser, instant.

    IPv4 subnet calculator
    
          
    IPv4 base converter
    IPv6 expand / compress
    MAC generator
    
          

    CSP · Security headers

    Paste a Content-Security-Policy or a raw response-header block. Parsed, graded, and audited for the usual footguns — entirely in-browser.

    CSP analyzer
    Security headers grader

    X.509 · SSH keys

    Decode a PEM certificate (subject, SAN, validity, fingerprints) or generate an Ed25519 SSH keypair in OpenSSH format. Nothing leaves the browser.

    X.509 certificate decoder
    
          
    SSH Ed25519 keypair (OpenSSH format)
    
            
            
            
    
          

    DNS · Email auth

    SPF, DMARC, DKIM, MX and CAA for any domain — queried over DNS-over-HTTPS (Google with Cloudflare fail-over), audited client-side.

    Domain check

    Regex tester

    Live matching with highlighted results, group capture, and replace preview. JavaScript regex engine, in-browser.

    Pattern
    Test string
    
            
            
    
          
    Replace preview
    
          

    Data convert

    Lossless conversion between JSON, YAML, TOML, and XML. Auto-detects source format, pretty prints, swaps with one click. All in-browser.

    Source

    Output
    
            

    Timestamp · date

    Convert between Unix epoch (seconds / milliseconds), ISO-8601, UTC and local time. The input format is auto-detected; nothing leaves your browser.

    Unix (s)
    Unix (ms)
    ISO-8601 (UTC)
    UTC
    Local
    Relative

    Number base

    Convert an integer across binary, octal, decimal, hexadecimal and any radix 2–36. BigInt-backed, so 64-bit values and bitmasks keep full precision (no 253 rounding).

    Case convert

    Re-case identifiers and text across every common convention. Word boundaries are detected from case changes, separators and digit transitions (acronym-aware: parseHTTPResponseparse_http_response).

    camelCase
    PascalCase
    snake_case
    kebab-case
    CONSTANT_CASE
    dot.case
    path/case
    Title Case
    Sentence case
    lower
    UPPER

    Text · JSON diff

    Line-by-line diff of two texts, fully in your browser (never paste a config into a random web differ). JSON mode normalizes key order + formatting first, so only real value changes show. The constant-time Hash compare stays separate for secrets.

    
        
    New version available