Most developers accumulate a personal graveyard of bookmarked utility sites over the years — one for generating UUIDs, another for Base64 decoding, a third for formatting a wall of minified JSON, a fourth for spinning up a quick AES test vector. Each one looks slightly different, behaves slightly differently, and half of them are supported by a single maintainer who hasn't touched the code since 2019. The friction is small each time — find the tab, remember which site actually does what you need, paste, copy, close — but it adds up across a career, and it comes with a cost that's easy to overlook: every one of those pastes is data leaving your machine.
The trouble with the bookmark-graveyard approach isn't just inconvenience. It's that every different site is a different trust boundary. When you paste an API key into a JSON formatter to pretty-print a config file, or paste plaintext into an “online AES encrypt” tool to sanity-check an implementation, you're trusting that specific site's server not to log it, not to get breached, and not to have been built by someone who monetizes exactly that kind of data. Most of these tools are free precisely because the operator isn't running ads to cover hosting costs on goodwill alone. You rarely find out which ones were the bad ones until after the fact.
There's also a consistency cost. A GUID generator on one site defaults to uppercase with hyphens, another defaults to lowercase without them, and you end up writing throwaway regex to reconcile the two mid-task. None of this is a hard problem individually — it's death by a thousand small inconsistencies, on tools that should be interchangeable commodities but aren't, because nobody standardized them.
KeyForge exists to collapse that graveyard into a single place with a single, simple trust model: nothing you type into any tool on this site is ever sent to a server. Every operation — generating identifiers, encrypting or decrypting text, generating passwords, hashing, encoding, formatting JSON — runs entirely in your browser, using the Web Crypto API for anything cryptographic. There's no backend to log your input, no database to breach, and no reason to wonder whether the plaintext you just pasted is sitting in someone's access logs. You can verify this yourself by opening your browser's network tab while using any tool here: no request fires when you type.
That matters more the more sensitive the input gets. Pretty-printing JSON that contains a customer record, or generating a UUID that will become a permanent database key, or testing an encryption routine against a real (if temporary) secret — these are exactly the moments where “which random website is this actually running on” stops being a hypothetical question.
Database primary keys, correlation ids for distributed tracing, idempotency keys for API requests — v4 random UUIDs cover most of this by default. When you need something deterministic instead — the same input always producing the same id, useful for deduplicating imported records without a lookup table — the GUID Generator also supports v5 (namespace-based) and v1 (timestamp-based) generation, in bulk, formatted however your downstream system expects. See What Is a UUID?if you're not sure which version fits your case.
Need to hand a teammate a secret over a channel you don't fully trust, sanity-check an AES implementation against a known key and IV, or quickly obscure a config value before it goes into a chat message? The Encrypt / Decrypttool supports AES-256-GCM, AES-256-CBC, and AES-128-CBC via the Web Crypto API, with the IV generated for you. If you're unsure which mode to reach for, AES-CBC vs AES-GCM and AES vs RSAcover the tradeoffs. The same page also handles hashing (SHA-256, SHA-512, SHA-1, MD5) and plain encoding (Base64, Hex, ROT13) for the cases where you don't need reversibility or secrecy, just a transform — with a legacy warning shown for SHA-1 and MD5, since neither belongs in front of real secrets anymore.
Every new account, service credential, or API secret is a chance to either generate something genuinely random or fall back on a pattern your brain finds memorable — which is exactly what makes it guessable. The Password Generator produces cryptographically random passwords at whatever length and character set a given service demands, with nothing generated leaving your browser. Why Strong Passwords Matter and Password Entropy Explained go into why length and randomness matter more than cleverness.
Minified API responses, log lines dumped as a single unreadable string, a config file someone pasted without line breaks — the JSON Formatterpretty-prints, validates, and distinguishes a syntax error (malformed JSON) from a schema violation (valid JSON that doesn't match the shape you expected), which is a distinction most formatters blur together. See JSON Schema Validation for more on that split.
None of these tools require an account, a plan, or an install. There's no state to lose between visits because there's nothing stored server-side to begin with — you land on a tool, do the one thing you came to do, and leave. That's the actual bar a utility site should clear: faster and safer than reaching for a different bookmark each time, with a trust model simple enough that you don't have to think about it while you're mid-task.
Bookmark KeyForge once, and the next time you need a UUID, a quick encrypt, a fresh password, or a wall of JSON made readable, it's the same tab every time.