exl.ink tools

No login, nothing kept. Every tool works from the browser, the terminal, or a script — see llms.txt or the OpenAPI spec for the full API. Hitting the free limits? Increase limits.

File link≤ 100MB · single download · 6h

Drop any file → a one-time direct link. Optional end-to-end encryption.

Tunnelpure HTTP · 1h sessions

A public URL that relays HTTP to your machine — watch webhooks land live in your browser, or expose localhost.

Request binstores recent requests · 6h

A public URL that captures incoming requests so you can inspect them. Catch blind callbacks.

HTTP pipenetcat over HTTP

Stream data between two machines with two curl commands — or be one end right here in the browser.

One-time secretburn after reading

Share a password or note as a self-destructing, end-to-end-encrypted link.

Short link≤ 24h · optional click cap

Throwaway short URLs that expire after a time or a click cap.

Passwordin-browser · nothing sent

Crypto-strong passwords and memorable passphrases with a live strength meter.

JWT decoderin-browser · not sent

Inspect a JSON Web Token's header, claims, and expiry. Decoded locally, never sent.

ID generatoruuid · ulid · nanoid

Bulk UUID v4/v7, ULID, and NanoID generation with one-click copy.

Timestampepoch ⇄ iso · live

Convert between Unix epochs and human dates, with a live clock and relative time.

Connection inspectoryour public identity

What the public internet sees about you: IP, reverse DNS, geo, and the request as received.

Port checkerexternal reachability

Is a port open from the internet? The server dials back to your own public IP to find out.

Uptime + TLSfrom the public internet

Fetch a URL from outside: status, redirects, latency, and certificate expiry.

Scheduled callbackone-shot cron

Have the server POST your webhook once, later — even after your machine sleeps.

DNS toolkitlookups · email auth

Resolve records across three public resolvers (propagation), or audit SPF/DMARC/DKIM/MX.

Pub/sub channelSSE fan-out · live

A live Server-Sent-Events channel: POST a message, every subscriber gets it instantly.

Disposable inboxreceive email · ephemeral

A throwaway email address that catches incoming mail — read it, copy any one-time code we spot, then it's gone.

Blind XSS catcherblind XSS · 24h

A probe that fires when injected markup is rendered in any browser — exfiltrating the page, cookies, and DOM back to you. Authorized testing.

OOB callback loggerOOB HTTP · 24h

A callback URL that logs every hit, to catch blind SSRF/RCE/SQLi out-of-band. A throwaway Collaborator/interactsh.

Payload hostserve PoCs · 6h

Host a JS/HTML/SVG/CSRF payload at a stable URL with a chosen Content-Type and open CORS. Authorized testing.

RedirectorSSRF / open-redirect · 24h

A URL that 30x-redirects anywhere — internal IPs, odd schemes, multi-hop chains — to probe SSRF allow-lists and open redirects.

CSRF PoCin-browser · PoC builder

Turn a state-changing request into a self-submitting HTML form to demonstrate CSRF. Built in your browser.

Reverse shellin-browser · one-liners

Reverse-shell one-liners for bash, python, nc, php and more — fill in your listener and copy. Pentest & CTF.

JSON formatterin-browser · nothing sent

Format, minify, validate, sort, and query JSON, or export to YAML. Nothing leaves your browser.

Cron parserin-browser · next runs

Explain a cron expression in plain English and preview its next firing times.

Regex testerin-browser · live match

Test a regular expression against sample text with live highlighting and capture groups.

Text diffin-browser · line diff

Compare two blocks of text line by line, additions and removals highlighted.

QR codeSVG + API

Turn text or a URL into a crisp SVG QR code. There's an API for scripts too.