📚 Tool Guide

JWT, Base64, and Hash Functions Explained: A Developer's Guide to Web Security Encoding

If you've worked with APIs, authentication, or web applications for any length of time, you've run into these three things: a JWT token in an Authorization header, a Base64-encoded string somewhere in a payload, and an MD5 or SHA256 hash used to verify a file or password. They're everywhere — and they're often confused with each other.

This guide breaks down all three clearly: what each one actually does, how they're different, when you'd use each one, and how to work with them using free online tools.

The Core Distinction: Encoding vs Encryption vs Hashing

Before diving into each tool, here's the conceptual framework you need:

Encoding (Base64) — Transforms data into a different format for transmission or storage. Not secret. Anyone can decode it. The purpose is compatibility, not security.

Hashing (MD5, SHA256, etc.) — A one-way transformation. You can go from data → hash, but not hash → data. Used to verify integrity, not to protect secrets in transmission.

Encryption (AES, RSA, etc.) — Transforms data into ciphertext that only someone with the correct key can reverse. Actually secret. Note: JWT can use encryption, but most commonly uses signing (which is closer to hashing than encryption).

Understanding this triangle saves you from a very common mistake: treating Base64 as security. It's not. A Base64-encoded string is not protected in any way — it's just reformatted.

Part 1: Base64 Encoding and Decoding

What Is Base64?

Base64 is an encoding scheme that converts binary data into a string of ASCII characters using an alphabet of 64 characters: A–Z, a–z, 0–9, and + and / (with = for padding).

Why 64 characters? Because 6 bits can represent 64 values (2⁶ = 64), and this range sits comfortably in the printable ASCII character set that every system can handle safely.

The problem it solves: Many transmission systems — email (historically), URLs, HTTP headers — were designed to handle text, not arbitrary binary data. Binary data (images, files, binary protocols) can contain byte values that these systems interpret as control characters and corrupt or reject. Base64 converts binary to safe text.

When You'll Encounter Base64

What Base64 Is NOT

It's not encryption. It's not hashing. Seeing a Base64 string doesn't mean the data is protected — anyone with a Base64 decoder can read the original content in seconds.

Example: HTTP Basic Auth sends Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=. That string decodes to username:password instantly. This is why Basic Auth must always be used over HTTPS — the encoding offers zero security on its own.

Using the Base64 Tool

The Base64 encoder/decoder handles both directions:

Encoding: Paste any text or data string → get the Base64 representation. Useful when you need to pass binary data through a text-only channel.

Decoding: Paste any Base64 string → get the original text. Useful when debugging API requests, reading JWT payloads, or investigating what a Base64 value in a token or header actually contains.

Base64URL variant: Standard Base64 uses + and /, which are reserved characters in URLs. Base64URL replaces these with - and _ to make the string URL-safe. JWTs use Base64URL. If you're decoding a JWT section, use a tool that handles Base64URL (or just replace - with + and _ with / before decoding standard Base64).

Part 2: JWT — JSON Web Tokens

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims (pieces of information) that can be verified and trusted. In practice: it's an authentication token your server issues after login, which your browser sends with every subsequent request to prove who you are.

A JWT looks like three Base64URL-encoded sections separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The three sections are:

  1. Header — Algorithm and token type (e.g., {"alg": "HS256", "typ": "JWT"})
  2. Payload — The claims: user ID, email, roles, expiration time, etc.
  3. Signature — A cryptographic signature computed from the header + payload + a secret key

How JWT Authentication Works

  1. User logs in with username/password
  2. Server verifies credentials, creates a JWT with user info in the payload, signs it with a secret key
  3. Server returns the JWT to the client
  4. Client stores the JWT (typically in memory or httpOnly cookie) and sends it in the Authorization: Bearer <token> header with every request
  5. Server receives the request, verifies the JWT's signature, reads the payload — no database lookup needed
  6. If signature is valid and token hasn't expired, the request is authenticated

The critical security property: the payload is readable by anyone (it's just Base64URL), but it cannot be tampered with without invalidating the signature. If you change even one character in the payload, the signature verification fails.

Decoding a JWT to Debug It

Paste any JWT into the JWT decoder to instantly see: - The header (algorithm, token type) - The full payload (all claims in readable JSON) - Whether the signature structure is valid - The expiration time (exp claim) in human-readable format

This is invaluable for debugging authentication issues. Common scenarios:

Token expired: The exp claim is a Unix timestamp. If it's in the past, the token is expired — re-authenticate.

Wrong claims: If your API is returning "unauthorized" but you think you're sending a valid token, decode it and check whether the expected user ID, role, or scope claim is actually present.

Algorithm mismatch: If your server expects HS256 but the token header says RS256, authentication will fail. The decoder shows you the algorithm immediately.

Important: The JWT decoder shows you the payload but does not verify the signature — signature verification requires the secret key, which only the server has. The decoder is a debugging tool, not a security tool.

JWT Security Notes

Part 3: Hash Functions (MD5, SHA256, and Others)

What Is a Hash Function?

A hash function takes any input (a string, a file, a password) and produces a fixed-length string of characters called a digest or hash. Three defining properties:

  1. Deterministic: The same input always produces the same output
  2. One-way: You cannot reverse a hash to get the original input (for secure hash functions)
  3. Avalanche effect: Changing even one character in the input completely changes the hash

Example — SHA256 of two similar strings: - "hello" → 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 - "Hello" → 185f8db32921bd46d35ef08d6c68f2cce31d7d6e9a1ad7aca35a2b6b6c2c0c4f

One capital letter, completely different hash.

MD5 vs SHA256: What's the Difference?

Factor MD5 SHA256
Output length 128-bit (32 hex chars) 256-bit (64 hex chars)
Speed Very fast Slightly slower
Security Cryptographically broken Secure for most uses
Common uses File checksums (non-security), legacy systems Password storage (with salt), file verification, HMAC

MD5 is not secure for passwords. MD5 hashes are pre-computed in "rainbow tables" — databases of millions of common passwords and their MD5 hashes. If someone gets your MD5 password hash, they can look it up and find the original in seconds. Use SHA256 (with salt and stretching, ideally bcrypt or Argon2) for anything security-sensitive.

MD5 is still fine for non-security file integrity checks — verifying a downloaded file hasn't been corrupted in transit.

Practical Uses of Hash Tools

Verify a downloaded file:
Many software downloads list the SHA256 hash of the file. After downloading, run the hash generator on the downloaded file and compare it to the listed hash. If they match, the file is intact and unmodified.

Generate content fingerprints:
If you're building a system that needs to detect duplicate files without comparing full content, hash each file and compare hashes — identical hashes mean identical content.

Test your hashing implementation:
If you're building an API that signs payloads with HMAC-SHA256, use the hash tool to manually compute expected values and verify your implementation produces the same output.

Anonymize data for testing:
When testing systems with real data you shouldn't expose, hash PII fields (email addresses, phone numbers) — the data becomes unusable as PII but retains uniqueness for testing.

Using the Hash Generator

The hash generator at WorldofTools supports MD5, SHA1, SHA256, and SHA512:

  1. Enter or paste your input text
  2. Select the hash algorithm
  3. Copy the resulting hash

All computation happens in your browser — no data is sent anywhere. This matters when hashing sensitive strings like API keys or data samples.

How These Three Tools Work Together in Real Development

A common real-world flow:

  1. User logs in → server creates a JWT with claims → header and payload are Base64URL encoded → signed using HMAC-SHA256
  2. JWT sent to client, stored, and sent back with each request in Authorization header
  3. On each request, server hashes the header+payload with the secret key and compares to the signature
  4. If you're debugging and the JWT isn't working, paste it into the JWT decoder to check the payload and expiration
  5. If you're verifying a file the API returned, run a SHA256 hash and compare to the server's stated checksum

These three concepts aren't separate tools — they're layers of the same web security stack. Understanding each one makes the whole system legible.

Related tools for developers: URL encoder/decoder for debugging query strings and API URLs, JSON formatter for reading API responses cleanly, and regex tester for validating token patterns.