Security

ArrayKit's Security tools help developers handle the everyday cryptographic chores that show up while building and debugging apps. Decode a token to inspect its claims and expiry with the JWT Decoder, or sign a fresh one using the JWT Signer with HS256/384/512. Generate SHA-256, SHA-1, SHA-384, or SHA-512 digests with the Hash Generator to verify file integrity and checksums. Create strong, random credentials with the Password Generator and its built-in strength meter, then produce time-based 2FA codes from a base32 secret using the TOTP / 2FA Generator. These tools are for engineers, security-minded developers, and anyone working with tokens, hashes, and authentication. Every operation runs entirely in your browser using the Web Crypto API, so secrets, payloads, and passwords are processed locally and nothing is uploaded to a server.

• JWT Decoder — Decode JWT header & payload and inspect exp / iat (no verification).
• Hash Generator — SHA-256 / SHA-1 / SHA-384 / SHA-512 via the Web Crypto API.
• Password Generator — Generate strong, random passwords with a strength meter (crypto-secure).
• TOTP / 2FA Generator — Generate time-based one-time passwords (2FA codes) from a base32 secret.
• JWT Signer — Create and sign a JWT (HS256/384/512) from a payload and secret — Web Crypto.

Frequently asked questions

Are these Security tools safe to use?

Yes. Every tool runs entirely in your browser and leans on the standard Web Crypto API for hashing and signing. Your secrets, tokens, and passwords are processed locally and nothing is uploaded to a server.

Is my data kept private when I decode a JWT or generate a hash?

Completely. Tokens, payloads, secrets, and inputs are handled on your device only. Your data never leaves your device, and ArrayKit does no tracking of what you enter.

Do the Security tools work offline?

Once the page has loaded, the tools run client-side, so hashing, password generation, and JWT decoding keep working without a live connection. Loading the page initially still requires the internet.

Does the JWT Decoder verify the token signature?

No. The JWT Decoder reads the header and payload and shows fields like exp and iat for inspection, but it does not verify the signature. Use the JWT Signer when you need to create and sign a token with HS256/384/512.

How secure are the passwords and 2FA codes generated here?

The Password Generator uses a crypto-secure random source and shows a strength meter, while the TOTP / 2FA Generator produces standard time-based codes from your base32 secret. Both run locally in your browser.

Which hash algorithms does the Hash Generator support?

It computes SHA-256, SHA-1, SHA-384, and SHA-512 digests via the Web Crypto API, which is useful for checksums and verifying file integrity.