What Is This String?
Paste a mystery value from a log, database, or header and find out what it is — hash, token, ID, or encoding — ranked by confidence.
Related Tools
"I found this string — what is it?"
Every developer hits this: a value turns up in a log, a database column, a cookie, or an API response, and you have no idea what kind of thing it is. Is that 60-character blob a hash you can't reverse, or Base64 you can decode? Is that $2b$... a bcrypt hash? Is the UUID a random v4 or a time-sortable v7?
This tool inspects the input's length, character set, and structure and tells you the most likely answer — with a confidence score, because some strings genuinely match more than one pattern. It recognizes tokens (JWT), password hashes (bcrypt), message digests (MD5, SHA-1, SHA-256, SHA-512), identifiers (UUID with version, ULID), encodings (Base64, Base64URL, URL-encoding, hex), Unix timestamps, and common values like emails, IPs, and hex colors.
How to Use
- Paste the unknown string into the box.
- Click Identify (or
Ctrl+Enter/Cmd+Enter). - The top card is the best guess with its confidence; the Other possibilities list shows weaker matches.
- If the value is a reversible encoding, a link sends you to Smart Decode to actually unwrap it.
When this tool answers a real question
"Is this column a hash or can I decode it?"
You open a database and a column is full of long opaque strings. If it's bcrypt or SHA-256, it's a one-way hash — there is nothing to "decrypt," and you should stop looking. If it's Base64, it's reversible and you can read it. Knowing which one in two seconds saves a lot of wasted effort.
Incident response on a credential dump
During a security review you find a list of hashed passwords. Are they MD5 (trivially cracked), SHA-1 (weak), or bcrypt (slow and salted)? The hash length and prefix tell you the algorithm — which directly sets how urgent the rotation is.
Choosing an index strategy for an ID
Before adding a primary key, it helps to know what you're dealing with. A UUID v4 is fully random and fragments B-tree indexes; a v7 embeds a timestamp and inserts in order. Paste an existing ID and the tool reports the version so you can decide.
Figuring out what an API actually returned
An endpoint returns a token or identifier with no documentation. Identify whether it's a JWT you can inspect, a ULID you can sort by time, or a plain Base64 blob — then reach for the right follow-up tool.
Telling hashes apart by length
A bare message digest carries no label, so the most reliable clue is how many hex characters it has. This is the same table the tool uses:
| Hex length | Bits | Likely algorithm | Status |
|---|---|---|---|
| 32 | 128 | MD5 | Broken — not for security |
| 40 | 160 | SHA-1 | Broken for collisions (2017) |
| 64 | 256 | SHA-256 | Secure default |
| 128 | 512 | SHA-512 | Secure |
The catch: any random hex of the same length is indistinguishable from a hash, which is why these are reported as confident guesses, not certainties. A $2b$ prefix (bcrypt) or a dotted three-part shape (JWT) is far more definitive.
Tokens and IDs — the give-aways
- JWT — three Base64URL chunks joined by dots (
xxx.yyy.zzz) where the first chunk decodes to JSON with analgfield. - bcrypt — starts with
$2a$,$2b$, or$2y$, then a two-digit cost and a 53-character salt+hash. One-way; cannot be decoded. - UUID — 8-4-4-4-12 hex. The first digit of the third group is the version:
4= random,7= timestamp-based and sortable,1= time + MAC. - ULID — 26 Crockford-Base32 characters, no dashes; the leading characters encode a millisecond timestamp, so ULIDs sort chronologically.
- Unix timestamp — a 10-digit number is seconds, a 13-digit number is milliseconds. The tool converts both to dates.
FAQ
How can it tell MD5 from SHA-256?
Mainly by length — MD5 is 32 hex characters, SHA-256 is 64. Because random hex of the same length looks the same, those guesses come with a confidence score rather than a guarantee.
Why more than one result?
Some inputs match several patterns at once. Ranking everything by confidence lets you apply context the tool doesn't have (where the string came from) to make the final call.
Can it reverse a hash?
No. Hashes are one-way by design. This tool identifies a hash; it cannot recover the original input. Only reversible encodings can be decoded — use Smart Decode for those.
Is anything uploaded?
No. Identification runs entirely in your browser; no network requests are made and nothing is stored.
⚠️ Reference Only
Output is generated based on your input and is provided for reference. Results may vary depending on your specific use case, edge cases, or environment-specific behavior. We do not guarantee accuracy of conversions, validations, or computed values.
Always verify critical outputs against official documentation or production environments. We are not responsible for any decisions or losses based on these tool results.
📖 Related Guides
JWT Anatomy — Header, Payload, Signature
Understand JWT structure, claims, and signing algorithms. Security best practices.
URL Encoding — When to Use What
encodeURI vs encodeURIComponent vs escape. Query strings, paths, and reserved characters.
Hash Algorithms — MD5, SHA-1, SHA-256, bcrypt
When to use each hash function. Security comparison and password storage best practices.