Developer Tools
JSON, Base64, hashing, regex, JWT, and other web-developer everyday tools. Everything runs in your browser using native APIs β no server, no logging, no rate limits.
JSON Formatter & Validator Full guide β
How it works
Parses your input with the browser's native JSON.parse, then re-serializes with JSON.stringify using your chosen indentation. If parsing fails, the error message points at the line and column of the syntax error.
When to use it
Pretty-printing API responses, validating JSON before pasting it into a config file, minifying JSON for production, or debugging "unexpected token" errors from somebody else's API.
Common mistakes
Confusing JSON with JavaScript object literals β JSON requires double-quoted keys and forbids trailing commas, comments, and undefined. Also: pasting JSON5, which allows unquoted keys but isn't valid JSON.
Base64 Encoder / Decoder Full guide β
How it works
Base64 encodes binary or text data using 64 ASCII characters (A-Z, a-z, 0-9, +, /). Each 3 bytes of input become 4 characters of output. Padding (=) is added so the output length is always a multiple of 4. This tool uses the browser's native btoa and atob with UTF-8 normalization for international characters.
When to use it
Embedding binary data in JSON or URLs, encoding HTTP Basic Auth credentials, decoding API tokens, inspecting data URLs, or transferring text through systems that don't tolerate special characters.
Common mistakes
Using raw btoa on UTF-8 strings (it only handles Latin-1) β this tool handles UTF-8 correctly. Also: confusing Base64 with encryption. It's encoding, not encryption β anybody can decode it instantly.
URL Encoder / Decoder
How it works
URL encoding (also called percent-encoding) converts special characters to %XX hexadecimal sequences so they survive transmission in URLs. Spaces become %20, ampersands become %26, and so on. Uses the browser's encodeURIComponent and decodeURIComponent.
When to use it
Building query string parameters that contain special characters, debugging encoding issues in API requests, decoding URLs you got from email or chat, or generating Stripe/PayPal redirect URLs.
Common mistakes
Using encodeURI instead of encodeURIComponent when encoding query parameters. encodeURI leaves ?, =, and & alone, which is wrong if those are part of your data. This tool uses the safer component variant.
HTML Entity Encoder / Decoder
How it works
Converts HTML reserved characters (&, <, >, ", ') to their entity equivalents so they render as text instead of being parsed as markup. Decoding does the reverse.
When to use it
Displaying code snippets inside HTML pages, sanitizing user input before rendering it, escaping content for inclusion in attribute values, or unescaping data scraped from HTML sources.
Common mistakes
Encoding text that's already encoded (double-encoding) β & becomes &amp;. Always check whether your input is raw or already escaped before running it through.
Hash Generator (SHA-1, SHA-256, SHA-512)
How it works
Uses the browser's native crypto.subtle.digest() API to generate cryptographic hashes. SHA-1 is shown for legacy compatibility but is no longer considered secure for new applications. SHA-256 is the modern default. SHA-512 is the strongest of the SHA-2 family.
When to use it
Verifying file integrity (matching a published checksum), generating content-addressable identifiers, hashing data for storage, or testing hashes for development purposes.
Common mistakes
Using SHA-1 for security purposes β collisions have been demonstrated in production. Use SHA-256 or stronger. Also: hashing passwords with raw SHA functions β use a slow KDF like bcrypt, scrypt, or Argon2 for password storage.
JWT Decoder (Header / Payload)
How it works
JSON Web Tokens have three parts separated by dots: a Base64URL-encoded header, payload, and signature. This tool decodes the header and payload but does NOT verify the signature β verification requires the secret key, which should never be sent to a third party.
When to use it
Inspecting token contents during development, checking expiration times, debugging authentication flows, or seeing what claims an OAuth provider is sending you.
Common mistakes
Treating decoded payload data as trusted. Anyone can read a JWT β only the signature provides authenticity. Never put secrets in a JWT payload, only public claims.
Regex Tester
Matches
How it works
Compiles your pattern as a JavaScript RegExp with the flags you specify, then runs matchAll against your test string and lists every match with its position. Common flags: g (global, find all matches), i (case-insensitive), m (multiline, ^ and $ match line boundaries), s (dotall, . matches newlines).
When to use it
Testing patterns before pasting them into code, validating user input formats, extracting data from messy text, or learning regex by experimenting.
Common mistakes
Forgetting to escape literal special characters β to match a real period, write \., not . (which matches anything). JavaScript regex has minor differences from Python or PCRE; don't assume patterns from other languages work as-is.
CSV β JSON Converter
How it works
CSVβJSON treats the first row as headers and converts each subsequent row into an object keyed by those headers. JSONβCSV walks an array of objects, builds a header row from the union of all keys, and writes one row per object. Handles quoted fields and escaped commas.
When to use it
Importing spreadsheet exports into a JS app, converting an API response to a spreadsheet, prepping data for a data-loading script, or converting between formats during ad-hoc data work.
Common mistakes
Inconsistent header names between rows in JSON-to-CSV (some objects missing keys others have) β the tool fills missing fields with empty strings. Also: CSV files with commas inside quoted fields β the parser handles standard CSV quoting but not all dialects.