input live · all encodings + decodings computed as you type
decodes only show when input is valid for that scheme. magic guesses are best-effort.
input paste anything - encoded, encrypted, or layered
recursively detects and unwraps encodings, auto-cracking single-byte XOR / Caesar and inflating gzip/zlib, then surfaces the most readable decode. set a flag format above (a wrapper like flag{...} / HTB{...}, a bare prefix like picoCTF, or a /regex/) and only matches of that exact pattern are tagged as the flag and ranked on top. leave it blank to rank purely by readability.
input
output
input live
SHA family via WebCrypto · MD5 / CRC32 pure-JS. hashing of UTF-8 bytes.
builds base64url(header).base64url(payload).signature signed with HMAC (HS256/384/512). pick none for an unsigned alg:none token. the HMAC secret is what you would brute with hashcat -m 16500. changing the algorithm syncs the header's alg field.