Encode · Decode · Hash · Transform — All in your browser, nothing sent to any server
Encodes binary data using 64 printable ASCII characters. Used in JWT tokens, email attachments, data URIs, and HTTP Basic Auth.
Ends with = or == padding. Only uses A–Z, a–z, 0–9, +, / characters. Common in web tokens and encoded payloads.
Base64 is NOT encryption — it's encoding. Anyone can decode it instantly. Never use it to hide sensitive data.
Represents each byte as two hexadecimal digits (00–FF). Used in debuggers, packet analysis, memory dumps, and shellcode.
Wireshark packet data, shellcode (\\x41\\x42), colour codes (#FF0000), file magic bytes (MZ header = 4D 5A).
Replaces special characters with % + hex value. Essential for passing special chars in query strings without breaking URLs.
Double encoding (%2520 = %25 + 20) bypasses some WAF/input filters. Common in path traversal: %2F = /, %2E%2E = ..
Rotates each letter by 13 places. Self-inverse: applying twice returns original. Used in forums to hide spoilers.
Rotates all printable ASCII chars (33–126) by 47. Used in CTFs and simple obfuscation of full text including symbols.
128-bit hash. Broken for security — collision attacks exist. Still used for file integrity checks, never for passwords.
160-bit hash. Deprecated for TLS/code signing since 2017. Still seen in git commit hashes and legacy systems.
Current standard. SHA-256 used in Bitcoin, TLS certificates, HMAC signatures. SHA-512 for higher security needs.
Never use MD5/SHA for passwords! Use bcrypt, Argon2, or scrypt — they're intentionally slow to resist cracking.
Header.Payload.Signature — each part is Base64URL encoded. The signature validates integrity.
alg:none attack, weak secrets, sensitive data in payload (it's not encrypted!), no expiry validation, algorithm confusion.
JWT payload is only Base64 encoded — anyone can read it. Never store secrets in JWT payload without encryption (use JWE).