Encoding & Decoding Tools
8 toolsEncoding is the process of transforming data from one format to another for compatibility, transmission, or storage — and it is a fundamental concept every developer encounters, whether embedding images in CSS with Base64 data URIs, percent-encoding special characters in URL query strings, escaping HTML entities to prevent XSS vulnerabilities, or inspecting JWT tokens during API authentication debugging. These tools cover the encoding operations developers perform most frequently: Base64 encoding and decoding for text and images, URL percent-encoding for safe query parameter construction, HTML entity encoding for cross-site scripting prevention, JWT decoding for token inspection without signature verification, and SHA-1/SHA-256/SHA-512 hash generation for data integrity checks. A critical distinction to understand is that encoding is not encryption — Base64 and URL encoding are fully reversible without any secret key, and they provide zero confidentiality. Every tool on this page uses the Web Crypto API where cryptographic operations are involved and runs entirely in your browser, ensuring complete privacy for your sensitive data.
Base64 Encoder / Decoder
Encode plain text to Base64 or decode Base64 strings back to text instantly. No data is sent to any server — all encoding and decoding happens locally in your browser.
URL Encoder / Decoder
Encode and decode URL components online for free. Handles special characters, percent encoding, query strings, and full URLs — instant results with no server required.
Hash Generator
Generate SHA-1, SHA-256, and SHA-512 cryptographic hashes from any text string. Uses the browser Web Crypto API — your input never leaves your device.
JWT Decoder
Decode and inspect JWT tokens online without verification. Instantly view the header, payload claims, and expiration date — all processed locally in your browser.
HTML Entity Encoder / Decoder
Encode special characters to HTML entities and decode HTML entities back to plain text. Supports named, decimal, and hexadecimal formats — free online tool.
Bcrypt Generator & Verifier
Free online bcrypt hash generator and verifier. Generate bcrypt password hashes with adjustable cost factor and verify passwords against existing hashes — all in your browser.
Common Use Cases
Debug JWT tokens from API authentication responses to check claims and expiration
Base64-encode images for embedding as CSS data URIs or inline in HTML
Generate SHA-256 checksums for file integrity verification and data validation
URL-encode query parameters containing special characters for safe API requests
Decode Base64-encoded API payloads during integration debugging
Escape HTML entities in user-generated content to prevent XSS attacks
Verify bcrypt password hashes against known inputs for security testing
Frequently Asked Questions
What is the difference between encoding and encryption?
Encoding transforms data into a different format for compatibility (like Base64 for binary-to-text), and is fully reversible without a key. Encryption transforms data to protect confidentiality and requires a secret key to reverse. Base64 is encoding, not encryption — anyone can decode it.
Can I use these tools to encode sensitive data safely?
These tools run locally in your browser and never transmit data, so they are safe to use with sensitive content. However, remember that encoding (Base64, URL encoding) does not provide security — it is not encryption. Do not rely on encoding to protect secrets.
Which hash algorithm should I use for password storage?
None of the hash algorithms available here (SHA-1, SHA-256, SHA-512) are suitable for password storage on their own. Use a dedicated password hashing function like bcrypt, scrypt, or Argon2 that includes salting and key stretching. The hash tools here are best for checksums and data integrity verification.
What is a JWT token and why would I need to decode one?
A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication and authorization in modern web applications. It contains three parts: a header (algorithm info), a payload (user claims like user ID, roles, and expiration), and a signature. Developers frequently need to decode JWTs during debugging — to check if a token has expired, verify the claims it carries, or inspect which algorithm was used. The JWT Decoder on this page lets you inspect token contents without verifying the signature, making it a fast debugging tool.
When should I use Base64 encoding vs. URL encoding?
Base64 encoding is used to represent binary data (like images, files, or arbitrary byte sequences) as ASCII text — common in email attachments (MIME), data URIs in HTML/CSS, and embedding binary content in JSON. URL encoding (percent-encoding) is used specifically to make text safe for inclusion in URLs by escaping reserved characters like &, =, ?, and spaces. Use Base64 when you need to embed binary data in text formats; use URL encoding when building URLs and query strings.
Why does the same text produce different hashes with SHA-256 vs SHA-512?
SHA-256 and SHA-512 are different algorithms in the SHA-2 family that produce different output sizes: SHA-256 generates a 256-bit (64-character hex) hash, while SHA-512 generates a 512-bit (128-character hex) hash. They use different internal round functions and word sizes. The same input will always produce the same hash within the same algorithm, but the outputs between algorithms are completely unrelated. Choose SHA-256 for general-purpose integrity checks and SHA-512 when you need a longer hash for higher collision resistance.
How do HTML entities prevent cross-site scripting (XSS) attacks?
XSS attacks occur when user-supplied content containing HTML or JavaScript is rendered unescaped in a web page. By encoding characters like < as <, > as >, and & as &, the browser displays them as literal text instead of interpreting them as HTML markup or script tags. This is a critical first layer of defense, but context-aware encoding (different encoding for HTML content, JavaScript strings, URLs, and CSS values) is required for comprehensive XSS prevention.
Related Tool Categories
Related Guides
Developer Generators: The Tools That Save You Hours Every Week
A practical guide to the generators every developer needs — UUIDs, passwords, QR codes, favicons, meta tags, robots.txt, .gitignore, and more. Learn when, why, and how to use each one.
Web Security: Encoding and Hashing Guide
Understand the differences between encoding, hashing, and encryption. Learn when to use Base64, SHA-256, bcrypt, and HTML entity encoding for web security.
HTTP Security Headers: The Complete Checklist for Your Web App
A practical guide to HTTP security headers — CSP, HSTS, X-Frame-Options, and more. Learn what each header does, how to configure it, and the real attacks they prevent.
DNS Records Explained: What Every Developer Should Know
A practical guide to DNS record types — A, AAAA, CNAME, MX, TXT, NS — with real examples. Learn how to troubleshoot DNS propagation, email delivery, and domain verification.
cURL for Developers: The Commands You'll Use Every Day
A practical cURL reference for developers — from basic GET requests to authentication, file uploads, and debugging. With code conversion examples for JavaScript, Python, and Go.
Environment Variables and Config Management: A Developer's Guide
Learn how to manage environment variables and configuration files securely. Covers .env files, secrets management, 12-factor app principles, and common mistakes that leak credentials.
IP Subnetting Demystified: A Practical Guide to CIDR and Subnet Masks
Learn IP subnetting from scratch — CIDR notation, subnet masks, network planning, and the mental math tricks that make it stick. No memorization tables needed.
SSL/TLS Certificates: What Developers Should Know
A developer-focused guide to SSL/TLS certificates — how they work, how to set them up, how to debug common issues, and why your staging environment keeps showing certificate warnings.
UUID vs NanoID vs ULID: Picking the Right ID for Your Project
A practical comparison of UUID, NanoID, and ULID with common implementation mistakes and performance considerations for developers.
CORS Errors Explained: Why Your Fetch Call Fails and How to Fix It
Understand why CORS errors happen, what the browser is actually doing, and how to fix the most common cross-origin request failures.
Password Security: Generation, Hashing, and Storage Best Practices
A complete guide to password security for developers. Learn password entropy, generation best practices, secure hashing with bcrypt and Argon2, and how to implement password policies correctly.
Base64 Encoding Mistakes That Silently Break Your App
Common Base64 encoding pitfalls including URL safety, padding issues, and binary handling — with clear fixes for each.
API Rate Limiting: How It Works and How to Handle It
Understand API rate limiting from both sides — implementing it as a backend developer and handling it gracefully as a consumer. Covers token bucket, sliding window, retry strategies, and common mistakes.
TypeScript Type Checking: Common Mistakes and How to Fix Them
Practical guide to TypeScript type checking pitfalls. Covers type narrowing, union types, generics, assertion traps, and runtime validation patterns every developer should know.
Linux File Permissions & chmod: A Developer's Practical Guide
Understand Linux file permissions, chmod commands, and octal notation. Covers common permission patterns for web servers, SSH keys, Docker, and CI/CD pipelines.
bcrypt vs SHA-256: Password Hashing Compared
Why SHA-256 is wrong for password storage and bcrypt is right. Learn about salting, key stretching, and modern password hashing best practices.
Git Best Practices Every Developer Should Know
Practical Git best practices for commit messages, branching, .gitignore, and common mistakes. Learn the habits that separate junior developers from senior ones.
XSS Prevention with HTML Entity Encoding
Learn how cross-site scripting (XSS) attacks work and how HTML entity encoding prevents them. Practical examples for JavaScript and server-side frameworks.
Why Base64 is Not Encryption
Base64 encoding is often mistaken for encryption. Learn exactly why Base64 provides zero security and when to use it correctly.