Concepts

Use URL-encoding when the bytes are travelling inside a URL. Spaces become %20, '?' becomes %3F. Never URL-encode binary data — the output will be huge and unreadable.

Use base64 when you have binary bytes and need them in a text channel (email, JSON, HTTP header). Output is ~33% larger than input. If the text channel is a URL, use base64url — it swaps '+' and '/' for '-' and '_' so no further escaping is needed.

Use hex when you want bytes written out by hand or visually diffed. Two characters per byte, always printable. Hex is four times bulkier than raw bytes but nearly twice as compact as base64url for inspecting short values.

A hash turns any input into a fixed-size output. Same input, same output. Different inputs, different outputs (overwhelmingly).

Use a hash to detect change: publish the hash of a file, anyone who downloads it can rehash and confirm it wasn't tampered with.

Do NOT use fast hashes (MD5, SHA-1, SHA-256) directly to store passwords. Use a password-hashing function (bcrypt, argon2id, scrypt) that is intentionally slow and salted. The a0a hash tool is for fingerprinting data, not for authentication systems.

v4 is pure random. 122 bits of entropy. Collisions are astronomically unlikely. Use v4 for IDs that don't need to sort.

v7 prefixes a millisecond timestamp onto random bytes. Sorts chronologically as a string, which makes database indexes efficient. Use v7 for new systems that generate a lot of IDs.

v1 is MAC-plus-time. It leaks the generator's identity and clock. Only use v1 if a legacy system demands it.

Never try to 'read' a v4 UUID — it is just noise. Never use two UUIDs to compare machines — v4 tells you nothing about the machine.

Six Diceware words is ~77 bits of entropy — comfortably past any brute-force threshold in 2026.

Do not edit the words after generating them. Adding 'my' or '1' to a Diceware phrase does not meaningfully help and may make it easier to remember a slightly weaker phrase.

Write it down on paper, store the paper somewhere physical and private, then memorise it at leisure. Paper does not phone home.

Different passphrase per account for anything important. Use a password manager for the rest.

4.5:1 is the minimum for body text. 3:1 for large text (18pt+ or 14pt+ bold). 7:1 is AAA.

Hitting 4.5:1 does not mean the text is easy to read — it means it passes the law. Aim higher for long reads, smaller sizes, or low-light contexts.

Hue matters for aesthetics but not for contrast. Two colors with identical luminance will fail the test regardless of how different they look.

The contrast tool shows AA and AAA pass/fail at the common size tiers so you can sanity-check your palette in seconds.

HSL is intuitive to talk about but visually uneven. Yellow at L=50% looks bright. Blue at L=50% looks dark. A gradient through them has a muddy zone.

OKLCH is designed so equal numeric lightness means equal perceived lightness. Interpolating in OKLCH produces gradients with no dead band.

CSS supports OKLCH natively. You can mix hues without going through RGB.

Convert your legacy HSL palette once and see — the colors usually land in similar places but behave better in animations and hover states.

Anchors: ^ start, $ end. Character classes: \d digit, \w word char, \s whitespace. A dot is any character.

Quantifiers: * zero or more, + one or more, ? zero or one, {3} exactly three, {2,5} two to five.

Groups: () captures, (?:) does not capture, (?=) lookahead, (?<=) lookbehind.

Read left-to-right and say each piece out loud: '^https?://[^\s]+$' is 'start, http, optional s, colon slash slash, any non-space, end.' Cryptic once, obvious twice.

Epoch seconds: a plain integer like 1700000000. Great for arithmetic, terrible for humans.

ISO 8601: 2024-11-14T22:13:20Z. Sortable as a string, human-readable, timezone-explicit. Prefer this for logs and APIs.

RFC 3339: a strict subset of ISO 8601 used in JSON APIs. Always has seconds, always has a timezone.

Never store a local-timezone string in a database. Store UTC epoch or UTC ISO 8601, convert at display.

JWT is three base64url segments: header.payload.signature. The first two are plaintext JSON — decode and read them freely.

The signature proves the token was not tampered with, but only if you verify it with the correct key. a0a's inspector decodes but does not verify — verification requires the server's secret/public key.

Treat a JWT's payload as untrusted until verified. Treat it as semi-public data forever — never put passwords, session cookies, or PII in a JWT payload.

Expiry matters. The 'exp' claim is epoch seconds. If it is in the past, the token is stale regardless of signature.

Once a URL is public, changing it breaks links, caches, bookmarks, and search results. Treat slugs as append-only.

If you must change a slug, keep a redirect from the old to the new. Forever.

Short, descriptive, ASCII-only kebab-case. No dates unless the page is about the date. No IDs unless the IDs are stable.

The slugify tool produces the canonical shape; picking the words is your job.

JSON has strict syntax: double quotes, no comments, no trailing commas. Easy to parse, painful to edit by hand.

YAML is indentation-sensitive. A rogue tab can change a config. Comments and bare strings make it readable but lossy — round-tripping YAML ↔ JSON can change your types.

For application APIs, use JSON. For configuration that humans edit, use YAML. Never mix them in one file.

The converter preserves semantics — strings stay strings, numbers stay numbers — but YAML's quoting rules are wild. Always round-trip your config once before shipping.

All tool computation happens locally. There is no server to log your input. There is no analytics pinging a third party.

a0a never reads your clipboard. You paste; the page receives the characters you pasted and nothing more.

When you click a copy button, the browser may prompt for permission the first time. That permission is between you and the browser — a0a sees only whether the copy succeeded.

You can verify all of this by opening the browser's Network tab and running any tool. You will see no requests during tool use.

For SHA-256, a collision requires ~2^128 work. At 1 billion hashes/sec, that's ~10^22 years. The universe won't last.

For MD5, researchers have produced pairs of meaningful documents with identical MD5 hashes. Do not use MD5 for any security decision. Use it only for non-adversarial change detection (e.g., cache busters).

SHA-1 is halfway to broken. Already demonstrated chosen-prefix collisions. Phase it out wherever you see it.

Every random output a0a produces — UUIDs, Diceware selections, dice, sampled palettes — comes from crypto.getRandomValues, the browser's cryptographically-secure random source.

Math.random is fast but predictable enough to be guessed after a few samples. It has no place in generating anything that matters.

If your browser disables crypto.getRandomValues, a0a will refuse to generate rather than silently fall back. You will see an error, not a weak UUID.

Generate a UUID → slugify it into a URL → URL-encode it into a query string. Three tools, three copies, one flow.

Hash a file name → base64url the hash → use it as a cache key. Two tools, one result.

Pick a base color → convert HSL → OKLCH → drop into Gradient → export CSS. Four tools, zero context loss.

The copy buttons on every output preserve the exact bytes. No smart-quotes, no trimming, no surprises.

Every tool is pure client-side JavaScript. Once a page has loaded, you can pull the network cable and everything still works.

For long flights, field work, or high-security environments, save the a0a pages you use most as offline bookmarks in your browser.

There is no 'pro' feature gated behind an account. The offline behaviour is the product behaviour.