Home/Developer Tools
[ DEVELOPER TOOLS ]

Developer Tools

Small utilities every developer reaches for repeatedly — a JWT decoder, a Base64 converter, and a hash generator. Everything runs locally in your browser. Nothing is sent to our servers.

Last reviewed: May 2026

// the short answer

Developer Tools are small, self-contained utilities that developers run every day — decoding tokens, converting between formats, computing checksums. Every tool on this hub runs entirely in your browser using the Web Crypto API and standard JavaScript — your input never leaves the page.

The tools

Utilities chosen for the same reason: each one is something developers paste into a random web page several times a week, and each one handles input that probably shouldn't be sent to a stranger's server.

// tool 01
JWT Decoder
Paste a JSON Web Token to decode its header, payload, and standard claims (exp, iat, iss, sub, etc.). Decodes only — does not verify signatures or create tokens.
Decode a JWT →
// tool 02
Base64 Encode / Decode
Convert text to and from Base64 with proper UTF-8 handling and an optional URL-safe variant (-/_ alphabet, padding strip). Two-way, paste or type either side.
Convert Base64 →
// tool 03
Hash Generator
Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes of text in your browser. MD5 and SHA-1 included for checksums; honest about which are insecure for security use.
Generate hashes →

Why client-side matters

These tools deal with data that's often sensitive — JWTs can carry session tokens, OAuth scopes, and PII; Base64 frequently wraps secrets; hashes are sometimes fed real passwords (please don't). Sending any of that to an unknown server's API is a habit worth breaking. Every utility here runs entirely client-side: no fetch, no upload, no logging, no storage.

Verify it by checking your browser's network tab while you use the tools — you'll see nothing. The JWT decoder is plain Base64URL parsing and JSON; the Base64 converter is built on the browser's own TextEncoder / atob / btoa; the hash generator calls crypto.subtle.digest, which is implemented natively by the browser. The output appears in your tab the moment you stop typing, and nothing crosses the wire to do it.

When to use each

These tools cover distinct daily problems. A quick guide on what to reach for:

  • JWT Decoder — debugging an authentication flow, inspecting OAuth or OIDC tokens, checking expiration (exp) and issued-at (iat) timestamps, confirming the iss and aud match what your server expects, or just seeing what a third-party API actually packed into the token it gave you.
  • Base64 — decoding data: URLs, encoding binary for JSON or email or SMTP transport, working with Authorization: Basic headers, and the URL-safe variants used in tokens, webhooks, and signed query strings. Also handy for reading whatever your CI/CD system pasted into an env var.
  • Hash Generator — file integrity checksums (MD5 and SHA-256 are the two you'll see in the wild), cache-busting filenames, debugging webhook signatures (GitHub, Stripe, Twilio all sign with HMAC-SHA-256), and producing content-addressed storage IDs.

None of these are exotic — they're things you've done a hundred times. The point of having a dedicated page for them isn't novelty, it's the small relief of opening a tab, pasting, and getting an answer without first navigating around a registration wall or wondering whether the site is logging your input.

Frequently asked

"Why aren't there more tools here?"

Quality bar. There's no shortage of developer-utility sites that ship every conceivable converter, and most of them either bury the useful ones under ads or wrap them in tracking. The tools on this hub are the ones that meet the same standard as the rest of Network Lookup — accurate, ad-light, and entirely client-side. Adding more only when each one clears that bar.

"Will more be added?"

Likely yes. The shortlist of candidates: a JSON formatter and validator, a URL encoder/decoder (with the encodeURIComponent vs encodeURI distinction handled correctly), a regex tester with named groups and flag toggles, a UUID generator (v4 and v7), and possibly a timestamp converter that handles the half-dozen common formats. Each will follow the same rule: all in the browser, no telemetry, no upload. If there's a utility you keep wishing existed, the contact page is the place to ask.

"Why not just use browser DevTools, Postman, or a CLI?"

Fine if those are at hand. Chrome DevTools has a console where JSON.parse(atob(token.split('.')[1])) will decode the payload of a JWT in one line. Postman, Insomnia, and Bruno all decode JWTs in their auth tabs. openssl dgst -sha256 hashes a file faster than any web page can. These tools exist for the case where none of that is already open — you're reading a Slack thread, an email, a doc, a webhook log; you want to know what's in the blob in front of you; opening a terminal or a paid app for one paste feels like overkill. That's the niche: a quick tab, a quick paste, a quick answer.

Learn more

Companion hubs and posts that pair well with these utilities.

// hub
Web Security Tools
TLS, security headers, HSTS, CSP, and exposed-service scanning — the layer above the tokens you're decoding here.
// hub
IP & Network Tools
IP lookups, ASN data, CIDR math, and port checks — the network-side companions to the local utilities on this page.
// hub
Privacy & Detection
VPN, WebRTC, fingerprint, and DNS-leak checks — what your browser reveals about you when it talks to a server.
// hub
DNS & Domains
DNS records, propagation, DNSSEC, CAA, and WHOIS — the naming layer beneath every authentication and signature flow.
// hub
Email Security
SPF, DKIM, DMARC, BIMI, MTA-STS — the signed and authenticated side of email infrastructure.
// blog
The Blog
Deep dives on the protocols and standards behind every tool on the site.