Which security tool should you use?

Security tools here cover the everyday auth-and-integrity tasks: inspecting JWTs from your auth provider, generating hashes for file integrity or password storage research, and minting tokens for local testing. None of these are substitutes for a real auth library or KMS — they're for debugging, learning, and one-off checks. Everything runs locally; tokens and inputs never leave your browser.

Decode a JWT to inspect claims, expiration, issuer (debug auth flows, OAuth bearer tokens) — use JWT Decoder & Inspector.
Generate a JWT for local testing with custom claims and HMAC-SHA256 signing — use JWT Generator. Never use this for production secrets.
Compute MD5/SHA-1/SHA-256/SHA-512 of text or a file for checksum verification, ETags, cache keys — use Hash Generator.
Generate a strong random password for a service account — use Password Generator (in our Generation hub).

Common security mistakes to avoid

Storing passwords as MD5 or SHA-256. Both are too fast — attackers crack billions/sec. Use bcrypt, argon2id, or scrypt on the server. Hash generators here are for integrity, not password storage.
Trusting JWT payload data without verifying the signature. Anyone can forge a JWT body. Always verify the signature on the server with the issuer's public key (or HMAC secret).
Embedding secrets in JWT payloads. JWT bodies are Base64-encoded, not encrypted. Anyone with the token reads the contents.
Using HS256 with a short secret. A weak HMAC key (under 32 bytes random) is brute-forceable. Use 256-bit random keys, or switch to RS256/ES256 for asymmetric signing.
Forgetting to set exp on JWTs. Tokens without expiration live forever — a leaked token is a permanent compromise. Always set exp; rotate refresh tokens regularly.

A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. A JWT consists of three Base64-encoded parts separated by dots: a header that specifies the signing algorithm, a payload containing claims such as user identity and expiration time, and a signature that verifies the token has not been tampered with. JWTs are widely used for authentication and authorization in modern web applications, APIs, and single sign-on systems.

Cryptographic hash functions are one-way mathematical algorithms that take an input of any size and produce a fixed-length output called a hash or digest. Popular algorithms include MD5 (128-bit), SHA-1 (160-bit), SHA-256 (256-bit), and SHA-512 (512-bit). They are used to verify file integrity through checksums, store passwords securely, detect data tampering, generate digital signatures, and ensure data has not been altered during transmission. A good hash function produces a completely different output even for a tiny change in the input.

Yes, it is safe when using a client-side tool like FreeDevTool. All decoding and hashing operations run entirely in your browser using JavaScript — your tokens, passwords, and data are never sent to any server. This is important because JWT tokens often contain sensitive user information such as email addresses, roles, and permissions. By processing everything locally, you eliminate the risk of your data being intercepted, logged, or stored by a third party. Always verify that any online tool you use operates client-side before pasting sensitive data.

Security & Hashing Tools

Which security tool should you use?

Common security mistakes to avoid