Base64, URL encoding, JWTs, and hashing turn up in every web stack, and the same misunderstandings turn up with them: that encoding is encryption, that decoding a token verifies it, that a hash can be reversed. These guides clear that up with plain explanations and worked examples, and each one links a tool that does the job right in your browser, so your data never leaves the page.
Base64 Explained: Why Encoding Is Not Encryption
What Base64 actually does, why it makes data about a third larger, when to use it, and why it protects nothing on its own.
URL Encoding Explained: When and Why to Percent-Encode
Why URLs use %20 and other percent codes, which characters are safe, and when to reach for encodeURIComponent instead of encodeURI.
How to Read a JWT, and Why Decoding Is Not Verifying
A JWT is three Base64url parts anyone can read. Learn how to decode one, what each part means, and why decoding proves nothing.
Hashing vs Encryption: What a Hash Can and Cannot Do
Hashing is one-way and keyless; encryption is two-way and needs a key. Learn the difference, why you cannot decrypt a hash, and when to use each.
How Passwords Should Be Stored: Salting, bcrypt, and Why Not SHA-256
Why a fast hash like SHA-256 is wrong for passwords, what a salt does, and why bcrypt, scrypt, and Argon2 are the right tools.
How Webhook Signatures Work: HMAC, Shared Secrets, and Timing-Safe Checks
How Stripe and GitHub prove a webhook is genuine using HMAC and a shared secret, and the timing-safe comparison most developers get wrong.
UUIDv4 vs UUIDv7: Why Time-Ordered IDs Make Better Database Keys
UUIDv4 is random and scatters database indexes; UUIDv7 is time-ordered and inserts in order. Learn the difference and when each one wins.
Data URIs: Embedding Images with Base64, and When It Backfires
Inlining an image as a Base64 data URI removes a request but breaks caching and adds 33% size. Learn the size rules and the better SVG trick.
Are Online Encoder and Hash Tools Safe? How to Tell If One Uploads Your Data
Many online encoders and decoders send your input to a server. Here is how to tell whether a tool runs locally, and what never to paste in.
Tools in this guide
Encode text to Base64 or decode Base64 back to text. UTF-8 safe with automatic direction detection.
Percent-encode and decode URLs and URL components, UTF-8 safe.
Decode a JSON Web Token to inspect its header and payload, with human-readable expiry and issue times. Runs entirely in your browser; tokens are never uploaded.
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes of any text, right in your browser.
Generate an HMAC for a message and secret key using SHA-1, SHA-256, SHA-384 or SHA-512, in your browser.
Hash a password with bcrypt and verify a password against a bcrypt hash, entirely in your browser.
Encode text to HTML entities or decode entities back to text, UTF-8 safe and client-side.
Generate 5 random RFC 4122 version 4 UUIDs at once. The input is ignored; run again for a new batch.
Convert an image into a Base64 data URI for embedding in HTML, CSS or JSON, entirely in your browser.