I built a privacy-first alternative to jwt.io, regex101 and every other dev tool that phones home

# webdev# javascript# privacy# devtools
I built a privacy-first alternative to jwt.io, regex101 and every other dev tool that phones homeabhilaksh-arora

The dirty secret of online dev tools Every dev tool lives on a different website. jwt.io...

The dirty secret of online dev tools

Every dev tool lives on a different website.

jwt.io for JWT decoding.
regex101 for regex testing.
Some random site for JSON formatting.
Another for diff checking.
Another for curl → code.
Another for SQL formatting.

You end up with 10 bookmarks, 10 different UIs,
and 10 different servers that just received your
most sensitive data — and you never think twice
about it.

I didn't either. Until I did.


What actually happens when you use these tools

Let's take jwt.io as an example.

Your JWT contains:

  • Your auth algorithm
  • Your user ID
  • Your roles and permissions
  • Your token expiry
  • Sometimes your email, name, org ID

When you paste it into jwt.io — it hits their
server. It's in their request logs. Maybe forever.

The same goes for regex101. Your regex patterns
often encode business logic — validation rules,
data formats, internal naming conventions. That
goes to their database.

And every online JSON formatter, diff checker,
SQL tool, .env checker you've ever used? Same story.

You're not just sharing data. You're sharing the
shape of your system.

Most of the time nothing bad happens. But "most
of the time" is a terrible security posture for
a developer who knows better.


I got tired of it

The more I thought about it, the more it bothered me.

I was pasting production JWTs. Real API keys.
Actual .env files with database URLs. Into random
websites I knew nothing about.

So I built DevTab - devtab.in

One tab. 110+ dev tools. Zero server calls.

Everything runs 100% in your browser via
client-side JavaScript and WebAssembly.

Open DevTools → Network while using it.
Nothing fires.

That's not a marketing claim. It's verifiable
in 10 seconds.


What's inside

JSON tools

  • JSON formatter & validator — real-time, error highlighting with line numbers
  • JSON minifier
  • JSON stringify & parse
  • JSON → TypeScript / Pydantic / Go / Zod types

Auth & security

  • JWT decoder — header, payload, expiry countdown, issued-at in human time. Zero network requests.
  • .env diff checker — compare .env.example vs .env, see missing keys, extra keys, mismatches. Values masked by default.

Code converters

  • curl → code (Python requests, JS fetch, Go, Rust)
  • SQL formatter — keyword uppercasing + proper indentation
  • HTML formatter / minifier
  • CSS formatter / minifier
  • XML formatter & validator

Text & diff

  • Text diff — line-level with collapsed unchanged sections
  • JSON diff — structural, key order irrelevant

Regex

  • Regex tester — live match highlighting, all groups + indices, common patterns as chips

Utilities

  • Color converter — HEX, RGB, HSL any to any
  • Timestamp converter — Unix to ISO/UTC/local/relative
  • Base converter — binary, octal, decimal, hex
  • URL inspector — all components + query params individually
  • Chmod calculator — checkboxes → octal + symbolic
  • HTTP status codes — searchable, color-coded
  • Cron expression builder

More coming

Adding new tools every week. 146 planned total.


How it's built

The architecture rule is simple:

Every tool that can run client-side must.

All transform, format, decode, and calculate
tools are pure TypeScript running in your browser.
No backend call. No API. No nothing.

The only planned exceptions are AI-powered Pro
tools — SQL explainer, stack trace debugger,
README generator — and those will be clearly
labelled as making server calls. Every other
tool: zero.

Tech stack:

  • Next.js 14 (App Router)
  • Tailwind CSS + shadcn/ui
  • TypeScript for all tool logic
  • Monaco Editor for code areas

Each tool gets its own URL and SEO landing page.
So /tools/jwt-decoder targets "jwt decoder online",
/tools/json-formatter targets "json formatter online"
and so on. 110+ tools = 110+ SEO entry points into
one product.


The privacy angle is the product

Most dev tool sites are built to be useful.
DevTab is built to be trustworthy first, useful second.

The difference:

Other tools DevTab
Your data hits their server Stays in your browser
Request logs exist No requests to log
You hope they're secure Nothing to breach
Signup to save history No signup needed
Free tier, paid for "privacy" Free, private by default

Privacy isn't a feature you unlock. It's the
architecture.


Try it

devtab.in — free, no signup, no uploads, ever.

Open DevTools → Network while using it.
Verify the claim yourself.

I'm adding new tools every week based on what
people request. What tool do you keep googling
that should be here? Drop it in the comments 👇


Built this as a side project while working as
an SDE. If you found it useful, share it with
a dev friend who's been pasting JWTs into
jwt.io without thinking about it.