← All Tools ZeroDataUpload Home

Encode / Decode

10 text encodings, file-to-Base64, JWT decoder, and 5 hash algorithms — all in your browser

Launch Encode / Decode →
Encode / Decode

Table of Contents

  1. Overview
  2. Key Features
  3. How to Use
  4. Frequently Asked Questions
  5. Privacy & Security

Overview

Encode / Decode is a universal encoding toolkit that brings together four powerful conversion categories under a single interface: 10 text encoding formats, file-to-Base64 conversion, JWT token inspection, and cryptographic hash generation. Every operation runs entirely in your browser using native JavaScript APIs and the Web Crypto API — no data is ever sent to a server.

The tool is organized into four tabs, each targeting a distinct use case. The Text Encodings tab handles conversion between 10 different formats including Base64, URL encoding, HTML entities, hexadecimal, binary, Unicode escapes, ROT13, Punycode (for international domain names), ASCII85, and Morse code. The File↔Base64 tab converts any file into Base64 with six output format options — raw Base64, data URI, CSS background, HTML <img> tag, Markdown image, and JSON object — plus reverse decoding from Base64 back to a downloadable file. The JWT Decoder tab parses JSON Web Tokens into their three components (header, payload, and signature) with automatic expiry detection. The Hash Generator tab computes five hash algorithms simultaneously: MD5, SHA-1, SHA-256, SHA-384, and SHA-512.

Under the hood, text encoding relies on browser-native functions like btoa() and atob() for Base64 (with UTF-8 awareness via the btoa(unescape(encodeURIComponent())) pattern), encodeURIComponent() for URL encoding following RFC 3986, the TextEncoder API for UTF-8 byte manipulation in hex and binary modes, and the URL() constructor for Punycode/IDN processing. Hash generation uses the asynchronous crypto.subtle.digest() method from the Web Crypto API for SHA-family algorithms, with a custom pure-JavaScript implementation for MD5. The entire application is built with DM Sans for UI text and JetBrains Mono for code output, and supports both dark and light themes stored under the enc-theme localStorage key.

Key Features

10 Text Encodings

Convert between Base64, URL encoding, HTML entities, hexadecimal, binary, Unicode escapes, ROT13, Punycode (IDN), ASCII85/Base85, and Morse code. Each format handles full UTF-8 text with proper encoding awareness and padding.

File↔Base64

Convert any file to Base64 with six output formats: raw Base64 string, data URI with MIME type, CSS background-image rule, HTML <img> tag, Markdown image syntax, and JSON object. Reverse-decode Base64 back to a downloadable file with automatic extension detection.

JWT Decoder

Paste any JSON Web Token to instantly inspect its header (algorithm, type), payload (claims, subject, issuer), and signature. Automatic expiry detection displays a clear ⚠️ EXPIRED warning with the original issued-at timestamp for quick token validation.

5 Hash Algorithms

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes simultaneously from any text input. SHA-family hashes use the asynchronous crypto.subtle.digest() Web Crypto API, while MD5 uses a custom client-side implementation. Each hash has its own copy button.

Bidirectional Conversion

The Swap button does double duty: it exchanges the text in the input and output fields and toggles the conversion direction between encode and decode. This makes round-trip testing instant — encode text, swap, and verify the decode matches the original.

Keyboard Shortcuts

Press Ctrl+Enter to trigger conversion without reaching for the mouse. Combined with the swap button and tab navigation, power users can encode, decode, and hash text entirely from the keyboard with instant real-time feedback.

Multiple Output Modes

Copy results to clipboard with a single click (with fallback for older browsers), download output as a .txt file, and monitor live character counts on both input and output areas. The encoding ratio display shows the size expansion factor for each format.

Privacy-First Architecture

Zero server contact for any operation. All 10 text encodings, file conversions, JWT parsing, and hash computations run exclusively in your browser. No text, files, tokens, or hashes are ever transmitted, logged, or stored remotely.

How to Use

  1. Open the tool and select a tab — Launch Encode / Decode and choose one of the four tabs at the top: Text Encodings for format conversions, File↔Base64 for file encoding, JWT Decoder for token inspection, or Hash Generator for cryptographic hashing.
  2. Choose your encoding formats — In the Text Encodings tab, select the input format and the desired output format from the dropdown menus. Options include Base64, URL Encoding, HTML Entities, Hexadecimal, Binary, Unicode Escapes, ROT13, Punycode, ASCII85, and Morse Code.
  3. Enter your input — Type or paste text into the input area for text encoding, drag-and-drop or upload a file for File↔Base64, paste a JWT string for the decoder, or enter text for hash generation. The live character count updates as you type.
  4. Click Convert or press Ctrl+Enter — The result appears instantly in the output area. For text encodings, you see the converted string. For files, you get the Base64 output in your chosen format. For JWTs, the header, payload, and signature are displayed separately. For hashes, all five algorithms generate in parallel.
  5. Use Swap to reverse direction — Click the Swap button between input and output to exchange the text in both fields and toggle the conversion direction from encode to decode (or vice versa). This lets you instantly verify round-trip conversions.
  6. Copy or download the output — Click the Copy button to copy the result to your clipboard, or click Download to save the output as a .txt file. The clipboard function includes a fallback mechanism for browsers that do not support the modern Clipboard API.
  7. Generate hashes with individual copy — In the Hash Generator tab, all five algorithms (MD5, SHA-1, SHA-256, SHA-384, SHA-512) compute simultaneously when you click Generate. Each hash value has its own dedicated copy button, so you can grab exactly the algorithm you need.

Frequently Asked Questions

How many encoding formats are supported?
Encode / Decode supports 10 text encoding formats (Base64, URL Encoding, HTML Entities, Hexadecimal, Binary, Unicode Escapes, ROT13, Punycode, ASCII85, and Morse Code), plus file-to-Base64 conversion with 6 output variants, JWT token decoding, and 5 cryptographic hash algorithms. In total, the tool covers over 20 distinct conversion and hashing operations across its four tabs.
What is Base64 and when should I use it?
Base64 is a binary-to-text encoding scheme that converts binary data into a string of 64 printable ASCII characters (A-Z, a-z, 0-9, +, /) with = padding. It is commonly used to embed binary content in text-only contexts: email attachments (MIME), data URIs in HTML and CSS, storing binary data in JSON or XML, and transmitting files through APIs. The trade-off is a 33% size increase — every 3 bytes of input become 4 Base64 characters. The tool uses the UTF-8-aware pattern btoa(unescape(encodeURIComponent(text))) to correctly handle multi-byte characters like emojis and accented letters.
What is the difference between Base64 and ASCII85?
Both are binary-to-text encodings, but they differ in efficiency and character set. Base64 uses 64 characters and expands data by approximately 33% (3 bytes become 4 characters). ASCII85 (also called Base85) uses 85 printable ASCII characters and expands data by only 25% (4 bytes become 5 characters), making it more compact. ASCII85 uses <~ and ~> delimiters to mark the encoded block and employs a special z shorthand for groups of four null bytes. ASCII85 is used in PostScript, PDF internals, and some programming contexts. Base64 is far more common on the web due to broader tool support and simpler implementation.
Does the JWT decoder verify signatures?
No. The JWT Decoder performs inspection only — it splits the token into its three dot-separated parts, Base64url-decodes the header and payload (converting - to + and _ to / for standard Base64 compatibility), and displays the parsed JSON. It detects expiration by comparing the exp claim against the current time and shows an ⚠️ EXPIRED warning if the token has expired. It also displays the iat (issued-at) timestamp in a human-readable format. Signature verification is not performed because that requires the server's secret key or public key, which should never be entered into a browser tool.
Which hash algorithm should I use?
For most modern applications, SHA-256 is the recommended choice — it is widely supported, cryptographically secure, and produces a 256-bit (64-character hex) digest. Use SHA-512 when you need maximum collision resistance or are working with systems that require it (such as certain certificate standards). SHA-384 is a truncated variant of SHA-512 used in specific TLS cipher suites. Avoid MD5 and SHA-1 for any security-critical application — both have known collision vulnerabilities. MD5 and SHA-1 are included in this tool for legacy compatibility, checksum verification of non-sensitive files, and educational purposes.
Is ROT13 secure?
No. ROT13 is a novelty cipher, not encryption. It is a simple Caesar cipher that shifts each letter by 13 positions in the alphabet, meaning applying ROT13 twice returns the original text (it is self-inverse). ROT13 provides zero cryptographic security — any reader can trivially decode it. It is traditionally used to obscure spoilers in online forums, as a basic obfuscation layer for puzzle answers, and as an educational example of substitution ciphers. Never use ROT13 to protect sensitive information.
Can I encode files as Base64?
Yes. The File↔Base64 tab accepts any file type — images, PDFs, documents, archives, audio, video, and more. Upload a file via the file picker or drag-and-drop, and the tool generates the Base64 representation in your choice of six output formats: raw Base64 string, data URI (with auto-detected MIME type), CSS background-image: url(data:...) rule, HTML <img src="data:..."> tag, Markdown ![image](data:...) syntax, or a JSON object containing the filename, MIME type, size, and Base64 data. Image files also show a thumbnail preview. To reverse the process, paste Base64 data and download the decoded file with the correct extension auto-detected from the MIME type.
What is Punycode?
Punycode is an encoding scheme defined in RFC 3492 that represents Unicode characters using the limited ASCII character set allowed in domain names. It enables Internationalized Domain Names (IDN) — for example, the German domain münchen.de is encoded as xn--mnchen-3ya.de in Punycode. The xn-- prefix indicates a Punycode-encoded label. This tool uses the browser's built-in URL() constructor to handle Punycode conversion, which means it supports all Unicode scripts including Cyrillic, Arabic, Chinese, Japanese, and emoji domains.
Are the hash functions cryptographically secure?
SHA-256, SHA-384, and SHA-512 are currently considered cryptographically secure — no practical collision attacks or preimage attacks are known against them. They are computed via the browser's crypto.subtle.digest() API, which uses the operating system's native cryptographic implementation for maximum performance and correctness. MD5 and SHA-1 are not cryptographically secure — both have demonstrated collision vulnerabilities. MD5 collisions can be generated in seconds on modern hardware, and SHA-1 was practically broken by the SHAttered attack in 2017. These two algorithms are included for legacy checksum verification and compatibility, not for security purposes.
Is my data safe when using this tool?
Yes. All encoding, decoding, and hashing operations are performed entirely in your browser using client-side JavaScript. No text, files, JWT tokens, or hash values are ever transmitted to any server. The tool makes zero network requests during operation — you can verify this by opening your browser's Network tab in Developer Tools. Your data stays on your device from start to finish. Even the theme preference is stored locally in your browser's localStorage under the enc-theme key.

Privacy & Security

Your Data Never Leaves Your Device

All encoding, decoding, and hashing happens in your browser using native JavaScript APIs and the Web Crypto API. No text, files, JWTs, or hashes are ever transmitted to any server. Text encodings use built-in functions like btoa(), atob(), encodeURIComponent(), and TextEncoder. Hash generation uses the asynchronous crypto.subtle.digest() method for SHA-family algorithms, with a pure-JavaScript implementation for MD5. File conversions use the FileReader API to read files locally. JWT decoding is simple Base64url string splitting with JSON.parse(). There are no external API calls, no server-side processing, and no data logging of any kind. You are in complete control of your data at all times.

Ready to try Encode / Decode? It's free, private, and runs entirely in your browser.

Launch Encode / Decode →

Related

Blog: Base64 Encoding & Decoding Guide

An in-depth guide covering how Base64 works, when to use it, and common pitfalls with UTF-8 text and binary data.

CipherBox - Morse Converter

Dedicated Morse code converter with audio playback, visual dot-dash display, and support for international characters.
Milan Salvi

Milan Salvi

Founder, Leena Software Solutions

Milan is the founder of ZeroDataUpload and Leena Software Solutions, building privacy-first browser tools that process everything client-side. View all articles ยท About the author.

Last Updated: March 26, 2026