Decode this blob

Hand the agent an opaque string — a JWT, a base64'd JSON payload, a gzip-encoded API response, a hex-encoded hash — and walk it through identifying what it is and unwrapping it layer by layer until it's human-readable.

When to use this pack

You pulled a suspicious string out of a log, a webhook body, a network capture, a cookie, or an API response, and you need to know what's inside without writing a one-off Node script. The tools in this pack are all deterministic and pure-CPU — every step is free over the proof-of-work tier.

Tools in this pack

• JWT decode $0.001 POST /api/jwt-decode Decode a JWT without verification: header, payload, expiry status, and time remaining. (Decoding only — signatures are NOT verified.)
• Gzip decompress $0.001 POST /api/gunzip Decompress a base64-encoded gzip payload. Returns the result as utf8 (text) or base64 (binary). Refuses to expand past 10MB to defend against zip bombs.
• Brotli decompress $0.001 POST /api/brotli-decompress Decompress a base64-encoded Brotli payload. Returns the result as utf8 (text) or base64 (binary). Refuses to expand past 10MB to defend against zip bombs.
• Base64 $0.001 POST /api/base64 Base64 encode or decode text. mode: encode (default) or decode. Handles URL-safe base64 on decode.
• Hex $0.001 POST /api/hex Hex encode or decode text. mode: encode (default) or decode.
• JSON validate & format $0.001 POST /api/json-format Validate, pretty-print, or minify JSON. Returns parse errors with position when invalid.
• Hash $0.001 POST /api/hash Cryptographic hash of a text string. Algorithms: sha256 (default), sha512, sha1, md5. Returns hex and base64 digests.

Workflow

1. Look at the first few characters before calling anything. "eyJ" → almost certainly a JWT (it's base64url for `{"`). "H4sI" → base64-encoded gzip (gzip's 1f 8b magic, base64'd). All hex chars and a multiple-of-2 length → likely hex-encoded bytes. Mostly A-Z/a-z/0-9/+// with optional `=` padding → base64.
2. If it looks like a JWT, call jwt-decode — returns the header + payload as JSON without verifying the signature. The header tells you the algorithm; the payload is your answer. If decoded successfully but the payload is itself base64'd or gzipped, recurse with this pack.
3. If the prefix is "H4sI" (or starts with bytes 1f 8b after a base64 decode), it's gzipped. Call gunzip with the base64 string directly — outputFormat "utf8" if you expect text, "base64" if you expect another binary layer.
4. Brotli has no fixed magic in the stream, but if you've ruled out gzip and the bytes still don't look like text after base64 decode, try brotli-decompress. Failure is cheap (a 400, not a 500) so this is safe to attempt.
5. Fall back to base64 with mode="decode" — it's the most common wrapper. If the result is human-readable text, you're done; if it looks like more binary, you're peeling another layer (very common: base64(gzip(json))).
6. If everything is in [0-9a-f] pairs and an even length, use hex with mode="decode". This is how a lot of crypto/hash tooling formats output — sha256 digests, wallet addresses, encryption ciphertexts.
7. When you finally land on something that parses as JSON, run json-format to pretty-print it — much easier to inspect a 50-key payload with indented keys than as one long line. If the original blob was a hash you wanted to verify, call hash on the source content and compare hex outputs.

Run it in Claude

claude mcp add agent402 -s user -- npx -y agent402-mcp@latest

Then paste this prompt into Claude:

Identify and decode this opaque string using Agent402: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ". (1) Inspect the prefix — "eyJ" suggests a JWT. (2) Call jwt-decode and return the header + payload. (3) If any field in the payload is itself a base64 / gzip / hex string, peel it: base64 → gunzip → brotli-decompress → hex, trying each only if the prefix suggests it. (4) When you reach plain text or JSON, return a single object describing what each layer was (e.g. {layers: ["jwt", "base64", "gzip", "json"], finalPayload: {...}}). All steps are free over the proof-of-work tier — no payment needed.

← All skill packs