input live · all encodings + decodings computed as you type

decodes only show when input is valid for that scheme. magic guesses are best-effort.

input paste anything - encoded, encrypted, or layered

flag format

recursively detects and unwraps encodings, auto-cracking single-byte XOR / Caesar and inflating gzip/zlib, then surfaces the most readable decode. set a flag format above (a wrapper like flag{...} / HTB{...}, a bare prefix like picoCTF, or a /regex/) and only matches of that exact pattern are tagged as the flag and ranked on top. leave it blank to rank purely by readability.

input

output

pick an operation below

XOR

CAESAR / ROT-N

VIGENÈRE

input live

SHA family via WebCrypto · MD5 / CRC32 pure-JS. hashing of UTF-8 bytes.

JWT decoder

JWT encoder

header
payload

builds base64url(header).base64url(payload).signature signed with HMAC (HS256/384/512). pick none for an unsigned alg:none token. the HMAC secret is what you would brute with hashcat -m 16500. changing the algorithm syncs the header's alg field.

hash identifier

timestamp converter

accepts unix (s/ms) or any Date-parseable string

string + frequency analysis

values fill into every command below & into the copy button live - set once, copy anywhere.