A collection of everyday developer utilities that run entirely in your browser. Decode and inspect JWTs, format SQL queries, test regular expressions with live highlighting, explain cron schedules in plain English, calculate CIDR subnet ranges, convert number bases, and generate cryptographically secure passwords. All without a server.
All processing runs in your browser. You can paste JWT tokens, SQL queries, or configuration values and they stay in your browser tab throughout.
Most online developer tools have a hidden cost: every JWT you paste, every SQL query you format, every regex you test, gets POSTed to a server. The server formats the input, sends back the result, and (probably) keeps a log of what was sent. That log is now a piece of your company's intellectual property sitting on a third party's disk.
For a JWT decoder this matters more than it sounds. A JWT often contains a user ID, an email address, the issuer URL of an internal auth service, the audience, and a signing key ID. Even if the token has expired, the metadata gives an outsider a clean map of your backend. The same applies to SQL: a query string carries table names, column names, and sometimes literal data values from production.
In-browser tools remove the disclosure problem entirely. The JavaScript runs in your tab, does the work, and shows you the result. All processing runs in your browser. No server is involved at any point.
How the developer tools work
Each tool is a small JavaScript module bundled into the page. The JWT decoder splits the token on dots and base64-decodes the header and payload using built-inatob. The SQL formatter uses the open-source sql-formatterlibrary, loaded lazily the first time you open the page. The regex tester uses the browser's native RegExp engine. The cron parser usescronstrue. The password generator uses crypto.getRandomValues, the same cryptographically secure random source browsers use internally.
None of these libraries make network calls. They take input, produce output, and the browser displays the result. The Content Security Policy header served with every page sets connect-src 'none', which means the browser itself refuses any outbound fetch attempt, providing a hard guarantee that not even a future bug could leak your data.
In-browser vs hosted developer tools
Approach
Processes locally
Setup cost
Best for
In-browser (this site)
Yes
None
Quick checks with sensitive input
Hosted online tools
No
None
Public sample data, demos
CLI tools (jq, sqlfluff)
Yes
Install + learn
Scripting, CI pipelines
The honest summary: hosted tools are convenient but send your data to a server. CLI tools process locally but require installation and setup. In-browser tools cover the middle ground: zero setup, processing runs locally. The limitation is that they don't integrate into a build pipeline. For a one-off check during local dev, they are the fastest option.
Writing infrastructure code? Format and validate Kubernetes manifests with the YAML formatter, pretty-print structured documents with the XML formatter, or beautify a long query using the SQL beautifier.
Configuring a server? Convert symbolic permissions with the chmod calculator, plan IP ranges using the subnet calculator, and translate scheduled jobs into English with the cron explainer.
Need credentials that pass a security review? Spin up cryptographically secure secrets with the password generator.
Reading low-level data? Flip between binary, octal, decimal, and hex with the number base converter.
Frequently asked questions
Are these developer tools free?
Yes. No rate limits, no API keys, no account. You can hit any tool a thousand times an hour and nothing will throttle you.
Do these tools send my code or tokens to a server?
Every tool runs as JavaScript inside your browser tab. JWTs, SQL, regex patterns, and any other input stay on your machine. The Content Security Policy on this site sets connect-src 'none', which means the browser blocks all outbound network calls at the protocol level.
Are passwords generated by the password tool actually random?
Yes. The generator uses crypto.getRandomValues, the browser's cryptographically secure random number source. The same API browsers use to seed TLS and WebAuthn. It is suitable for generating production passwords.
Do the tools work offline?
After the first visit, yes. The site is statically exported, so once your browser has cached the assets, every developer tool works without an internet connection.
Why don't these tools have history or saved snippets?
Storing your input would mean writing it to disk. Since the appeal of these tools is that nothing is persisted, no history is kept. If you want to save a snippet, copy it from the output panel.
Do the SQL formatter and regex tester process data locally?
Yes. Queries, regex patterns, and test strings are processed by the respective JavaScript libraries (sql-formatter and the browser's built-in regex engine) entirely within your browser tab.