// Encode
A client-side utility belt: base64, hashes, classic ciphers, encryption, public keys, JWT, and QR. Nothing you paste here leaves your browser.
Every tab runs entirely in your browser. Encoding, ciphers, hashing, encryption, and QR all run on local JavaScript (hashing and AES encryption use the built-in Web Crypto API; ChaCha uses a vendored, self-hosted library), so nothing you paste leaves the page. Open DevTools → Network and watch: no requests.
SHA-256·
SHA-1·
SHA-512·
These are puzzles, not security. Classic ciphers are great for CTFs, escape rooms and learning how ciphers work, but anyone can break them in seconds. For an actual secret, use the Encrypt tab (AES-256-GCM).

Two authenticated ciphers, both key-stretching your passphrase with PBKDF2 (600k rounds): AES-256-GCM through the browser's own Web Crypto, and ChaCha20-Poly1305 (the XChaCha20 extended-nonce variant) through a vendored, audited library (@noble/ciphers). The choice is recorded in the output, so Decrypt works out which one on its own. Both are strong; AES is the default. Share the passphrase over a different channel; it never reaches us, so if it is lost the message is unrecoverable.

No shared passphrase needed. Encrypt to someone's public key and only their private key can open it. Generate a pair below, share the public half anywhere, and keep the private half secret.
Public keyshare this
Private keykeep secret

RSA-OAEP + AES-256-GCM hybrid, all in your browser via Web Crypto. RSA can only wrap a few hundred bytes, so a fresh random AES key encrypts your message and RSA just locks that key to the recipient. Encrypt uses the public key field above; Decrypt uses the private one. The private key never leaves this page, so if you lose it the message is gone.

Decode only. A JWT is not encrypted, anyone holding it can read these contents. The signature is what proves it is genuine, and we do not verify it here.

Built on the browser's Web Crypto API plus two vendored, self-hosted libraries (a QR generator and @noble/ciphers for ChaCha), so the Content-Security-Policy stays self-only. Pasting, hashing, encrypting, decoding, and generating make no network requests.
// Good to know
Base64 is encoding, not encryption. It hides nothing; anyone can decode it. Use it to move binary through text-only channels, not to keep secrets.
A hash is one-way. Use it to check a file downloaded intact (compare the checksum), not to "encrypt". SHA-256 is the safe default; SHA-1 is here only because some tools still print it.
Encrypt uses authenticated AES-256-GCM or ChaCha20-Poly1305, so a wrong passphrase or any tampering fails loudly rather than returning garbage. The passphrase is your responsibility; we never see it.
It all runs on your device. More on what we can and can't see is on How it works.