API & Security Tools for Developers

JWT (JSON Web Token) tokens authenticate API requests by encoding user identity and claims in three parts: header, payload, and signature. The JWT Decoder parses these sections without validating the signature, letting you inspect claims like user ID, expiration time, and permissions. The JWT Generator complements it by creating test tokens locally from JSON header and payload objects, with support for HS256 signing or alg:none for unsigned previews. Together they help debug authentication issues, verify token contents during development, and understand API authorization without leaving the browser.

AES encryption protects sensitive text by turning plaintext into ciphertext with a secret password and random parameters. The AES Encrypt tool creates AES-GCM payloads locally, while the AES Decrypt tool reverses compatible payloads back into plaintext with the original password. A PBKDF2-derived key converts your password into an encryption key, while random salt and IV values ensure the same plaintext does not always produce the same ciphertext. This is useful for private notes, internal config snippets, or exchanging sensitive strings without exposing them in plain text.

HMAC (Hash-based Message Authentication Code) signs a message with a shared secret so receivers can confirm the payload came from someone holding the same key and that the content was not altered. The HMAC Generator helps test webhook signature validation, signed query parameters, and API authentication flows. Unlike plain hashes, HMAC output depends on both the message and the secret, making it suitable for authenticity checks instead of simple integrity-only workflows.

Checksums provide integrity verification for files and text. The Checksum Calculator hashes content with SHA algorithms and can compare the result with an expected value you paste in. This is useful when validating release artifacts, downloaded backups, deployment bundles, or copied config text. Matching checksums suggest the content has not changed; mismatches signal corruption, truncation, or the wrong source file.

IPv4 network planning depends on understanding subnet masks, CIDR prefixes, wildcard masks, and host ranges. The Subnet Calculator and CIDR Calculator turn those values into concrete network boundaries, showing the network address, broadcast address, first and last usable hosts, and total host capacity. This helps when carving VLANs, documenting firewall rules, designing cloud address space, or debugging incorrect routing assumptions. The IP Address Converter complements those tools by translating IPv4 addresses into decimal, hexadecimal, and binary representations often seen in logs, low-level tooling, or vendor documentation.

cURL to Fetch conversion transforms command-line API examples into JavaScript code for browser or Node.js applications. API documentation often provides cURL examples because they are concise and platform-independent. The cURL to Fetch Converter parses cURL syntax, extracting URL, headers, request body, and HTTP method, then generates equivalent JavaScript Fetch API code. This accelerates integrating third-party APIs by converting documentation examples directly to working code. The converter handles authentication headers, JSON bodies, form data, and custom headers automatically.

Chmod calculator generates Unix/Linux file permission codes using read, write, and execute permissions for owner, group, and others. The Chmod Calculator provides a visual interface where you check permission boxes and get the numeric code (like 755 or 644). This prevents permission errors that expose files or break scripts. Common patterns include 644 for web files (owner reads/writes, others read), 755 for directories and executables (owner full access, others read and execute), and 600 for private files (owner-only access). Understanding permissions prevents security vulnerabilities from overly permissive files.

IBAN validation checks International Bank Account Numbers using country-specific formats and mod-97 check digits. The IBAN Validator verifies country code, length, and checksum in one step. Valid IBANs have 2-letter country codes, 2 check digits, then country-specific account details, totaling 15-34 characters. Validation catches typos in payment forms, confirms SEPA transfers, and validates customer-provided bank details. The validator details which validation step failed, helping users correct mistakes. IBANs replace older account numbers in European banking and international transfers.

Credit card number generation creates structurally valid test numbers that pass Luhn algorithm validation without being real, active cards. The Credit Card Generator produces numbers for Visa, Mastercard, American Express, and other networks, useful for testing payment gateway integration, e-commerce checkout flows, and form validation. Generated numbers pass format validation but fail authorization because they are not assigned to real accounts. Never use real credit card numbers in development or testing. Always use generators or official test numbers provided by payment processors for sandbox environments.

These tools form an API development and security testing toolkit. Decode JWT tokens when debugging authentication, convert cURL examples when integrating APIs, calculate file permissions when deploying applications, validate IBANs in payment forms, and generate test cards when building checkout flows. Together they cover common API security and testing scenarios.