Tools

Last reviewed on 4 May 2026.

Client-side utilities for working with web APIs. Each tool runs entirely in your browser — no data leaves the page, no server round-trips, no telemetry on what you paste.

The tools here exist for two reasons. The first is practical: when you're debugging an integration, you need to inspect a token, verify a signature, or check a payload — and the existing online tools either send your data to a server or bury the explanation under ads. The second is educational: each tool is paired with the explanation that turns "I clicked verify and it said yes" into "I understand what was actually checked."

JWT decoder & validator

Decode the header and payload of a JWT, and verify the signature against a secret (HS256/384/512) or PEM public key (RS256/384/512, ES256/384). Annotates each claim with what it means and warns about common security mistakes.

HMAC webhook signature playground

Sign or verify webhook payloads using the actual signing rules from Stripe, GitHub, Slack, and Shopify — or define your own. Shows the exact signing string at each step so you can debug "signature mismatch" errors end-to-end.

What's coming

The roadmap, roughly in order:

  • HTTP status code decision flowchart. Interactive Q&A that takes you to the right status code for the response you're trying to send.
  • OAuth 2.0 flow visualizer. Step-by-step walkthroughs of the authorization code, client credentials, and PKCE flows with the actual HTTP requests and responses at each step.
  • JSON Schema converter. Paste a schema; get TypeScript / Python / Go types out, with explanation of how each constraint maps.
  • Cursor pagination simulator. Visualize how cursor-based pagination behaves under inserts, deletes, and skipped pages — the failure modes of pagination as an interactive demo.

If you'd find a tool useful that isn't here, the contact page has the address.

Why client-side only

Every tool on this page runs in your browser using standard web APIs (Web Crypto for cryptographic operations). The token, secret, body, or key you paste never gets sent over the network. View source on any tool page to verify; the JavaScript is in the page, not loaded from an external script.

This matters because the inputs to these tools are usually sensitive. A JWT contains identity claims; a webhook signing secret authenticates entire integrations; a private key, if you accidentally pasted one, would compromise everything signed with it. Sending those to a third-party server — even for a "harmless" debugging tool — creates risk that the page's purpose doesn't justify.