Skip to content
Marvin's Toolbox.

Search tools

Type to filter all tools

Key Pair Generator

Generate RSA, ECDSA and Ed25519 key pairs in your browser with the Web Crypto API. Choose the key size or curve, then export the keys as PEM, JWK or an OpenSSH public key line.

Everything runs locally in your browser. Your data never leaves your device.

Algorithm

Modern signature keys, small and fast. The usual choice for new SSH keys.

Options

Appended to the OpenSSH public key line, usually an email address or hostname.

Keys are generated on this page with the Web Crypto API and are never stored. Copy or download what you need, a reload or regenerate discards the pair for good.

Key pair

Checking Ed25519 support…

Private key

Anyone with this key can act as its owner. Keep it secret.

Public key

Next steps

Send this tool's output straight into another tool.

Build and sign a JSON Web Token from a header and payload. Supports the HMAC, RSA, ECDSA and EdDSA algorithms real systems use, fills in standard claims like expiry for you, and shows the signed token ready to copy.

Convert text into every case at once: title case in the APA, AP, Chicago, MLA, Bluebook, AMA and NYT styles, sentence case, upper, lower, camelCase, snake_case, kebab-case and more.

Count words, characters, sentences, paragraphs, lines and more as you type, with estimated reading and speaking time.

Remove duplicate lines from a list or text, keeping the first occurrence. Optionally ignore case and whitespace, or drop blank lines too.

Replace text in two modes: plain find and replace all, or regular expressions with flag controls and capture group references like $1.

Compare two texts and see every added, removed and changed line highlighted, side by side or inline, with the changed words marked within each line. Ignore case, whitespace or blank lines, read a summary of how much changed, and export the result as a unified diff.

Paste a UUID to see what it carries: version, variant, and for time-based versions the exact timestamp, clock sequence and node. Also shows the raw bytes, the 128-bit integer and the URN form.

Decode Base64 to text or encode text to Base64. Paste into the top box, read the result below, and flip the direction with one click. Handles Unicode correctly, reads URL-safe Base64, and shows binary payloads as a hex dump you can download.

Convert numbers between binary, octal, decimal, hexadecimal and any base up to 36. Type into any field and the others update as you go. Handles huge integers without losing precision and accepts 0x, 0b and 0o prefixes.

About the Key Pair Generator Tool

This tool generates public and private key pairs with the Web Crypto API. Pick RSA with a 2048, 3072 or 4096 bit modulus and a PKCS#1 v1.5, PSS or OAEP usage scheme, ECDSA on the P-256, P-384 or P-521 curve, or Ed25519, and a fresh pair appears immediately.

Every key exports in the formats real systems expect. The private key comes as a PKCS#8 PEM block or a pretty-printed JWK, the public key as an SPKI PEM block, a JWK or an OpenSSH public key line with an editable comment. The OpenSSH-style SHA-256 fingerprint is shown next to the pair, and every format has copy and download buttons.

What you can do

  • Generate an RSA key pair with a 2048, 3072 or 4096 bit modulus.
  • Generate an ECDSA key pair on P-256, P-384 or P-521 for ES256, ES384 or ES512 JWTs.
  • Generate an Ed25519 key pair for SSH or EdDSA signatures.
  • Export a private key as PKCS#8 PEM or JWK.
  • Export a public key as SPKI PEM, JWK or an OpenSSH authorized_keys line.
  • Get the OpenSSH-style SHA-256 fingerprint of a public key.

How to use the Key Pair Generator

  1. 1Pick the algorithm. RSA keys also take a size and a usage scheme, ECDSA keys a curve.
  2. 2A key pair is generated right away. Regenerate as often as you like.
  3. 3Switch each key between PEM, JWK and OpenSSH to see the format you need.
  4. 4Set the SSH comment if the public key is headed for an authorized_keys file.
  5. 5Copy or download the keys. Nothing is saved, so store them somewhere safe before leaving.

Which algorithm should you pick?

Ed25519 is the modern default for signatures and SSH keys. The keys are tiny, generation is instant and signing is fast. Use it unless the system on the other end demands RSA or a NIST curve. A few older browsers can't generate Ed25519 keys yet, the tool detects that and tells you.

ECDSA on P-256 is what most web APIs and ES256 JWTs expect, with P-384 and P-521 as the higher security tiers. RSA is the compatibility choice. Pick PKCS#1 v1.5 for classic RS256 signatures, PSS for the modern PS256 scheme, and OAEP when the key should encrypt data rather than sign it. That usage choice also decides the alg field stamped into the exported JWK.

The export formats

PEM is the interchange format OpenSSL and most server software read. The private key uses the PKCS#8 layout (a BEGIN PRIVATE KEY block) and the public key the SPKI layout (BEGIN PUBLIC KEY), so they drop straight into TLS configs, JWT libraries and command line tools.

JWK is the JSON shape JOSE libraries take. Both keys carry the matching alg identifier, from RS256 and PS256 over ES256 to EdDSA, so a library can pick the right algorithm without guessing. The OpenSSH line is what goes into an authorized_keys file or a Git host's SSH key settings, and the fingerprint matches what ssh-keygen -lf prints.

Signing JWTs with a generated key

A common reason to need a key pair is signing JSON Web Tokens. Generate an ECDSA P-256 key for ES256 or an RSA key for RS256, then send the private key to the JWT Encoder to sign a token with it. The public key is what the consuming service needs to verify signatures, so publish that one and keep the private key to yourself.

Hash a password with bcrypt or Argon2 and verify a password against an existing hash. Tune the cost factor, memory, iterations and parallelism, see how long the hash takes, and read the parsed parts of any hash you paste.

Verify a checksum online: drop a file, paste the expected checksum and see instantly whether they match. The hash type is detected from the checksum itself, covering MD5, SHA-1, SHA-256, SHA-512, BLAKE3, CRC-32 and more, and sha256sum lines or whole checksum files can be pasted as-is.

Paste raw email headers to trace the Received chain hop by hop with per-hop delays, read the SPF, DKIM and DMARC results, and see every header explained. Helps you spot spoofing and find where a slow email got stuck.

Hash text or a file with MD5, SHA-1, SHA-256, SHA-512, SHA-3, BLAKE2, BLAKE3, CRC32 and more, all computed live as you type. Compare against an expected checksum and copy any digest.

Reveal the characters you can't see in a text: zero-width spaces, non-breaking spaces, bidi marks, control characters and CRLF versus LF line endings. Inspect every occurrence and clean them out with a click.

Paste a JSON Web Token to see its header and payload as formatted JSON, with the token color coded so each part maps to its output. Explains the registered claims, shows expiry as readable dates, flags expired tokens and can verify the signature with a secret or public key.