Security tools
ClientThis page is an index—open a card for the dedicated route. Cryptography, signing, token inspection, checksums, compression, secrets generation, certificates, and validators stay client-side unless a tool page says otherwise.
Browse security utilities
Cards follow the home catalog order for this category.
Encrypt & decrypt
ClientEncrypt, decrypt, hash (AES, DES, RC4, Rabbit, TripleDES, MD5, SHA) and Base64—client-side.
HMAC (SHA-256 & more)
ClientHMAC-SHA-256/384/512/1 in the browser—hex or Base64 for webhooks, signing, and API docs.
File checksum & hash
ClientSHA-256, SHA-512, MD5, CRC-32, and more for a local file—verify downloads without uploading.
Subresource Integrity (SRI)
ClientSHA-256/384/512 base64 integrity tokens for script and link tags—UTF-8 paste or local file; Web Crypto only.
Luhn checksum (mod 10)
ClientPaste a digit string (spaces ignored)—pass or fail Luhn for PANs, IMEI-style IDs, and test vectors; browser-only.
IBAN validate & format
ClientMOD-97-10 checksum, country length (embedded list), compact or grouped copy—no bank lookup; browser-only.
Compress & minify
ClientHTML, JS, CSS, XML, SQL, JSON minify; batch JPEG/WebP image compression.
JWT decode
ClientInspect JWT header and payload as JSON in browser; signature not verified.
OAuth PKCE generator
ClientRFC 7636 code_verifier plus S256 code_challenge (SHA-256, base64url)—Web Crypto in your tab, no upload.
TOTP / authenticator codes
ClientRFC 6238 time-based one-time passwords from a Base32 secret—HMAC-SHA1, otpauth URI and optional QR; local only.
Validate tools
ClientHub for format validators—Web3 Ethereum address (EIP-55) and hex private key checks; more routes over time.
Web3 address & key check
ClientValidate 0x address length and EIP-55 checksum; check 64-digit hex private key shape and secp256k1 range—browser-only.
Password generator
ClientRandom passwords with length and character sets—generated in your browser.
Bcrypt hash & verify
Clientbcrypt password digests with adjustable cost (bcryptjs)—hash or verify $2a/$2b strings locally.
Random string generator
ClientRandom alphanumeric, hex, Base64 URL-safe, or custom tokens—entropy hint, local only.
PEM / X.509 viewer
ClientDecode PEM certificates in the browser—subject, issuer, validity; paste only what you trust.
Common use cases
- Open JWT decode when you need header and payload JSON from a signed token—remember verification is not performed here.
- Use HMAC or crypto when reproducing webhook signatures or comparing hash outputs from docs.
- Use file checksum when verifying a download against a published SHA-256 or MD5 without uploading the file.
- Use IBAN validate when you need MOD-97-10 and length checks locally—no bank directory lookup.
- Use OAuth PKCE when you need a fresh code_verifier and S256 code_challenge pair for a public client flow.
- Use TOTP when you need RFC 6238 codes from a Base32 secret—compare against your IdP or build otpauth URIs without uploading secrets.
- Use SRI when you need sha256/sha384/sha512 integrity tokens for script or link tags from the exact bytes you will serve.
- Use bcrypt when you need slow password digests or to verify a candidate password against an existing $2a/$2b hash locally.
- Jump to Validate tools for Web3 address checks and similar format guards, then return here for other security utilities.
Common mistakes to avoid
Pasting live secrets into shared machines
Processing is local on Toolcore, but screen visibility and clipboard history still matter—prefer redacted samples.
Assuming JWT decode implies trust
Decoding only shows claims; signature and audience checks belong in your application code.
FAQ
Where are format validators?
The validators hub is at /tools/validate (Web3 and more). It is listed below with the other security tools.
Is data sent to a server?
These tools run in your browser unless a specific page documents otherwise.