Developers regularly need hashing, signing, encryption and token inspection. The 5 most important rules:
Security operations — hashing a payload, signing an API request, encrypting sensitive data, decoding a JWT — are part of daily developer work. Having fast, reliable browser-based tools for these operations means you can inspect and verify security artifacts without setting up local environments or uploading sensitive data to unknown servers.
A hash function takes an input of any size and produces a fixed-size output (the digest). The same input always produces the same output; even a single character change produces a completely different digest.
MD5 produces a 128-bit (32 hex character) digest. It is fast but cryptographically broken. Use MD5 only for checksums where collision resistance is not required, such as detecting accidental file corruption or cache invalidation keys.
SHA-1 produces a 160-bit digest. Also considered broken since 2017 (the SHAttered attack). Avoid SHA-1 for new security-critical code.
SHA-256 (part of the SHA-2 family) produces a 256-bit digest and is the current standard for security-critical hashing. Used in TLS certificates, code signing, and most modern authentication systems.
SHA-512 produces a 512-bit digest. On 64-bit processors, SHA-512 is often faster than SHA-256 due to its internal word size matching the processor's native width.
HMAC (Hash-based Message Authentication Code) adds a secret key to a hash, producing a signature that proves both the content and the sender's identity.
AWS Signature v4 uses HMAC-SHA256 to sign every API request. The signature covers the HTTP method, URL, headers, and body hash, preventing any tampering in transit.
Stripe and GitHub webhooks include an X-Stripe-Signature or X-Hub-Signature-256 header containing an HMAC-SHA256 of the request body. Your server recomputes this with your webhook secret and rejects requests where the signatures don't match.
JWT HS256 uses HMAC-SHA256 to sign the token header and payload. Use our HMAC Generator to compute and verify HMAC signatures during development and debugging.
AES (symmetric) uses the same key to encrypt and decrypt. It is extremely fast — modern CPUs have hardware instructions for AES achieving multi-gigabyte throughput. AES-256 is used for encrypting data at rest: database fields, file encryption, disk encryption.
RSA (asymmetric) uses a public key to encrypt and the corresponding private key to decrypt. RSA is much slower than AES (1000x or more for bulk data), so it is typically used only to encrypt a small AES key, which then encrypts the actual data (hybrid encryption, as used in TLS).
Padding matters: Never use raw RSA without padding. RSA-OAEP (Optimal Asymmetric Encryption Padding) is the secure standard. Our RSA Encrypt & Decrypt tool uses RSA-OAEP exclusively.
A JWT (JSON Web Token) consists of three Base64url-encoded parts separated by dots: header, payload, and signature.
Header: Specifies the algorithm. {"alg": "HS256", "typ": "JWT"} means HMAC-SHA256 signing. RS256 means RSA-SHA256.
Payload: Contains claims — standard claims include sub (user ID), iss (issuer), exp (expiration Unix timestamp), and iat (issued at).
The none algorithm vulnerability: Some JWT libraries accept {"alg": "none"}, bypassing signature verification entirely. Always verify the algorithm on your server and reject tokens with unexpected algorithms.
JWTs are not encrypted by default: A standard JWT is signed but not encrypted — anyone who intercepts it can read the payload. Never put sensitive data in a JWT payload unless you use JWE.
No. SHA-256 is a fast general-purpose hash, which makes it easy to brute-force passwords. Use bcrypt, scrypt, or Argon2 instead — these are designed to be slow and memory-hard. Our Password Generator creates strong passwords; storage should use bcrypt/Argon2 on your server.
Encoding (like Base64) transforms data for compatibility — it is reversible without a key. Encryption (like AES) protects confidentiality — it is reversible only with the correct key. Never use Base64 as a security measure.
Use our JWT Decoder. Paste the token and the tool reads the exp claim and shows the expiration date with a clear expired/valid indicator.
Yes, when using crypto.getRandomValues(), which is what our Password Generator uses. This is the browser's CSPRNG, the same entropy source used by the operating system for key generation.
AES-256 for all new applications. AES-128 is technically secure against known attacks, but AES-256 provides a larger margin. The performance difference is negligible on modern hardware.