Security Tools

Hash generators, HMAC signatures, JWT decoder, RSA key pairs, and password generator - cryptographic tools that run entirely in your browser.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from any text input.

MD5 SHA-256 SHA-512

HMAC Generator

Create HMAC signatures using SHA-256, SHA-384, or SHA-512 for API authentication.

HMAC-SHA256 HMAC-SHA512

Password Generator

Generate cryptographically secure passwords with customisable length, character sets, and strength indicator.

Secure Customisable

JWT Decoder/Encoder

Decode and encode JSON Web Tokens. Inspect headers, payloads, and verify signatures.

Decode Encode

RSA Key Pair Generator

Generate RSA key pairs for encryption or signing. 2048, 3072, or 4096-bit keys in PEM or JWK format.

RSA PEM JWK

Browser-Based Security Tools

Every tool on this page runs entirely in your browser using the Web Crypto API. No data is sent to any server - key generation, hashing, HMAC signing, and JWT decoding all happen client-side. Open your browser's network tab to verify.

Hashing vs HMAC

A hash function takes input and produces a fixed-size digest. It proves integrity - that the data has not been tampered with. HMAC adds a secret key to the process, proving both integrity and authenticity. Use hashes for checksums and fingerprinting. Use HMAC for API signatures and message authentication where you need to verify the sender.

RSA Key Pairs

RSA is an asymmetric algorithm - it uses two mathematically linked keys. The public key encrypts data or verifies signatures. The private key decrypts or signs. This separation means you can share the public key freely while keeping the private key secret. RSA is used in TLS certificates, SSH authentication, JWT signing, and encrypted email.

JWT Tokens

JSON Web Tokens encode claims as a compact, URL-safe string. They are used for authentication, API authorisation, and information exchange. A JWT has three parts: header, payload, and signature. Our decoder lets you inspect all three without sending the token to any server - important since tokens often contain sensitive user data.

Quick Links

Benefits
  • 100% browser-based
  • No registration
  • Free

Common Questions

All tools run entirely in your browser. No data is sent to any server. Key generation, hashing, and JWT decoding happen client-side using your browser's built-in Web Crypto API. Check the network tab to verify.

Yes. The keys are generated using the Web Crypto API with cryptographically secure randomness. However, for production infrastructure, consider using your platform's built-in key management (AWS KMS, GCP Cloud KMS) or generating keys on the server with OpenSSL.

For general hashing, SHA-256 is the standard choice. For password hashing, do not use SHA or MD5 - use bcrypt, Argon2, or scrypt instead. MD5 and SHA-1 are cryptographically broken and should only be used for checksums, not security.

A hash takes a message and produces a fixed-size digest. An HMAC takes a message plus a secret key and produces a keyed digest. HMAC proves both integrity and authenticity - only someone with the key could have generated it. Use HMAC for API signatures and message authentication.