Building DevToolbox: 7 Browser-Based Developer Utilities That Never Touch a Server
I built a free collection of developer tools — JSON formatter, JWT decoder, regex tester, and more — that run entirely client-side. Here is why privacy-first tooling matters and how it works.
Every developer has a handful of browser tabs permanently open for small utility tasks. Formatting a JSON response from an API. Decoding a JWT to figure out why auth is failing. Testing a regex before committing it. Converting a Unix timestamp a colleague pasted in Slack.
The tools that show up first in search results for these tasks tend to share a few problems. They send your data to a server. They show full-screen ads between every action. Some require you to create an account to use a Base64 decoder. That has always felt absurd to me.
So I built DevToolbox — seven browser-based developer utilities that run entirely client-side. No server processing, no accounts, no ads. Your data never leaves the tab.
The tools
JSON Formatter & Validator — paste JSON, get it beautified or minified. Collapsible tree view for nested structures. Error messages with line numbers when the JSON is invalid.
Base64 Encode & Decode — handles both text and files. Drag and drop a file to encode it, or paste Base64 to decode. Image preview for PNG, JPEG, and GIF. Proper UTF-8 handling via TextEncoder and TextDecoder.
JWT Decoder — paste a token, see the header, payload, and signature color-coded and decoded instantly. Shows expiration in both UTC and local time with a live countdown — "Expired 14m 23s ago" or "Valid — expires in 59m 37s." No more mental math on exp claims.
Regex Tester — real-time match highlighting as you type with a 200ms debounce. Supports all flags including dotall and unicode. Shows capture groups and match positions. Quick presets for common patterns like email, URL, and IP. The regex runs in a Web Worker with a 2-second timeout, so catastrophic backtracking patterns get killed gracefully instead of freezing your browser.
Cron Expression Builder — visual mode with dropdowns or manual text entry. Two-way binding between the expression and the builder. Shows a human-readable description and the next 5 scheduled run times calculated from now.
UUID & Hash Generator — generate UUID v4 individually or in bulk up to 100. Hash any text with MD5, SHA-1, SHA-256, and SHA-512 computed simultaneously as you type. SHA hashes use the browser's native crypto.subtle.digest.
Unix Timestamp Converter — live clock, Unix-to-human conversion with auto-detection of seconds versus milliseconds, human-to-Unix date picker, and a timezone converter covering 20 major zones.
Why client-side matters
When you paste a JWT token into an online decoder, you are handing your auth credentials to someone else's server. When you format a JSON response that contains customer data, that data hits an endpoint you do not control. Most developers know this but do it anyway because the alternatives are inconvenient.
DevToolbox has no server-side endpoints that process user input. PHP handles routing and serves HTML. Everything else — parsing, formatting, hashing, decoding — runs in JavaScript inside your browser tab. There is nothing to intercept because nothing is transmitted.
Technical decisions
No npm. No build step. No database. The stack is PHP for routing and templating, Tailwind CSS via CDN, Alpine.js via CDN for interactivity, and vanilla JavaScript minified with terser. The entire site runs on shared hosting. I chose this deliberately — the fewer moving parts, the fewer things that break at 2 AM.
The regex tester deserved special attention. A naive implementation would freeze the browser on patterns with catastrophic backtracking like (a+)+$. Running the regex in a Web Worker with a timeout solves this cleanly — the worker gets terminated after 2 seconds, the UI stays responsive, and the user sees a clear error instead of a hung tab.
The design is dark-only with an emerald accent, using Outfit for headings and JetBrains Mono for code areas. It looks like a tool developers would actually want open in a side panel, not a marketing site pretending to be useful.
Who this is for
Any developer who uses these utilities daily and would rather not send production data through someone else's server. Backend developers debugging API responses. Frontend developers testing regex patterns. DevOps engineers building cron schedules. Anyone who has ever pasted a JWT into jwt.io and then thought about it for a second too long.
Try it here — no sign-up, no ads, nothing to install. Bookmark it and forget where you found it.