ToolChop

Developer Tools

JSON, regex, JWT, hash, base64, QR codes, passwords — utilities a working developer reaches for every day.

Every developer ends up with a tab open to some random JSON formatter, regex tester, JWT debugger, or base64 decoder. They're useful because they're fast — paste in, get the answer, close the tab. They're also a quiet liability because most of them ship your payload to a server. If you're decoding a JWT from a production environment, formatting a JSON response that contains a customer ID, or hashing a string that's actually a secret, you'd rather that not leave your laptop. The tools on this page are the same 30-line implementations, just run client-side.

These cluster into a few patterns. Formatters and parsers — JSON, YAML, XML, CSV — take input in one structure and emit it in another. Encoders — base64, URL encoding, HTML entities — transform a string into a safe-to-transport form (or back). Cryptographic primitives — hash, CRC32, JWT signing — run the standard algorithms locally using the browser's WebCrypto API where possible. Generators — passwords, passphrases, QR codes, barcodes — produce something new from minimal input. Together they cover the long tail of one-off operations that come up during normal development.

A few specifics worth knowing. WebCrypto is the standard browser API for cryptography and produces the same hash values as command-line tools (shasum, openssl dgst). JWT decoding is just base64url + JSON parsing — there's no server required for the decode step (signature verification is a separate operation). Password generators use crypto.getRandomValues(), which is the same source of randomness used for TLS — notMath.random(), which is not cryptographically secure and should never be used for secrets.

All developer tools (18)

🛠️

JSON Formatter

Pretty-print, minify, and validate JSON.

Use tool →
🛠️

CSV to JSON

Convert CSV files to JSON, with delimiter detection.

Use tool →
🛠️

CSV Viewer

Inspect CSVs as a sortable table — no upload.

Use tool →
🛠️

XML to JSON

Convert XML documents to JSON.

Use tool →
🛠️

YAML to JSON

Convert YAML to JSON (and back).

Use tool →
🛠️

Regex Tester

Test regular expressions live, with match highlighting.

Use tool →
🛠️

Hash Generator

Compute MD5, SHA-1, SHA-256, SHA-512 hashes.

Use tool →
🛠️

CRC32 Checksum

Generate CRC32 checksums for files or text.

Use tool →
🛠️

JWT Decoder

Decode and inspect JSON Web Tokens locally.

Use tool →
🛠️

JWT Builder

Build signed JWTs for testing.

Use tool →
🛠️

URL Encoder / Decoder

Percent-encode and decode URLs and query strings.

Use tool →
🛠️

Base64 Encode / Decode

Encode or decode Base64 strings.

Use tool →
🛠️

HTML Entity Encoder

Escape or unescape HTML entities.

Use tool →
🛠️

Password Generator

Generate strong random passwords client-side.

Use tool →
🛠️

Passphrase Generator

Generate memorable diceware-style passphrases.

Use tool →
New

QR Code Generator

Generate QR codes — no account, no expiry.

Use tool →
🛠️

QR Code Reader

Decode QR codes from images or camera.

Use tool →
🛠️

Barcode Generator

Generate 10 common barcode formats.

Use tool →

Common developer workflows

Inspecting an API response. Paste the raw JSON into JSON Formatter for a pretty-printed, collapsible view. The validator catches missing commas and unquoted keys faster than re-running the curl. For CSV API responses, use CSV Viewer for a sortable table, or CSV to JSON if you need to pipe the data into a script.

Debugging an authentication issue. Paste the JWT into JWT Decoder to see the header, claims, and expiration. The decoder splits the token into its three parts (header.payload.signature) and decodes the first two; the signature is binary and is shown verbatim. For building test JWTs, JWT Builder signs with HS256 using a secret you supply.

Encoding for transport. Base64 Encode/Decode for embedding small binary blobs in JSON. URL Encoder/Decoder for building or decoding query strings. HTML Entity Encoder when you need to display literal HTML or guard against an XSS by escaping output.

Building a checksum or fingerprint. Hash Generator produces MD5, SHA-1, SHA-256, and SHA-512 hashes. CRC32 Checksum is the right tool for the older CRC32 algorithm — different output, used for ZIP files and some legacy protocols. SHA-256 is the modern default for non-cryptographic integrity checks; MD5 and SHA-1 are broken for security but still ubiquitous for non-security integrity checks.

Generating secrets and codes. Password Generator produces strong random passwords with customizable length and character classes — Passphrase Generator outputs diceware-style multi-word passphrases, which are stronger for the same memorability budget. QR Code Generator for handing off a URL or text to a phone; Barcode Generator for legacy barcode formats (Code 39, Code 128, EAN, UPC, and others).

Testing a regex. Regex Tester highlights matches against your test input as you type. The flavor is JavaScript's built-in (ECMAScript), which is close to but not identical to PCRE — for differences in lookbehind, named groups, and Unicode property classes, verify against the target language before shipping.

Frequently asked questions

Is it safe to decode production JWTs here?

Yes. The decoding happens entirely in your browser's JavaScript runtime — the token never makes a network request. You can verify by opening DevTools → Network and decoding a token; you'll see no traffic. This is the main reason a local JWT decoder exists.

How does the password generator pick random characters?

It uses crypto.getRandomValues(), the browser's CSPRNG, which is the same source of randomness used for TLS and the WebCrypto API. It is not Math.random(), which is fast but not cryptographically secure.

Why are MD5 and SHA-1 still listed in the hash generator?

MD5 and SHA-1 are cryptographically broken (collisions are findable) and should not be used for security. They're still extremely common for non-security integrity checks — verifying that a downloaded file matches a published checksum, deduping items by content hash, generating cache keys. SHA-256 is the right default for anything that doesn't need backwards compatibility.

Can I sign or verify JWTs with RS256?

The JWT builder currently supports HS256 (HMAC-SHA256 with a shared secret) because RS256/ES256 require private-key management that's awkward in a single page. For RSA-signed tokens, you'll typically use a server library or a CLI tool. The decoder reads RS256 tokens fine — it just doesn't verify their signatures.

Does regex-tester support PCRE features like lookbehind and named groups?

It supports the JavaScript regex flavor (ECMAScript 2018+), which has named groups, lookahead, and lookbehind. The main difference from PCRE: no recursive patterns, no atomic groups, and Unicode property classes work but require the /u flag. Always re-test against the target runtime before shipping a regex.

Can JSON Formatter handle huge files?

It comfortably handles tens of megabytes. For very large JSON (hundreds of MB or more), browser memory and rendering will struggle — jq or a streaming parser is the right tool. For everyday API responses (a few MB), it's instant.

Where do the random values come from in QR Code Generator?

QR codes aren't random — they're a deterministic encoding of input text or a URL. The 'random' look is the error-correction structure, which is computed from the input. Two QR codes with the same input and the same error-correction level will always be identical.

More categories

Image Format Converters
Convert between HEIC, JPG, PNG, WebP, AVIF, SVG, BMP, TIFF, and more — all in your browser.
Image Editing & Optimization
Compress, resize, crop, rotate, watermark, sharpen, and clean up images without uploading them.
PDF Tools
Convert, merge, split, compress, and edit PDFs locally — your documents never leave the browser.
GIF & Audio Tools
Build, edit, compress, and re-time GIFs and audio clips entirely client-side.
Text & Writing Tools
Count, format, sort, dedupe, diff, and rewrite text without sending it anywhere.