The JSON formatter that never sees your JSON
You've got a JWT from a production system and you want to see what's inside it. So you paste it into the first 'JWT decoder' that comes up in search. It shows you the claims — and, depending on how that site is built, it may have just sent your token to a server you know nothing about. That token is a credential. You'd never email it to a stranger, but pasting it into a random web tool can amount to the same thing.
The same quiet risk runs through a whole category of everyday developer tools, and almost none of it is necessary.
The tools that quietly upload
Plenty of online formatters and decoders POST whatever you paste to a backend and send the result back. For lorem ipsum or a throwaway snippet, who cares. But the things developers actually paste into these tools are rarely throwaway: a JWT with a live session, a config file with a database URL, an API response full of customer records, a private key you're trying to inspect. The convenience is real, and so is the fact that your sensitive string just landed in someone else's logs.
The browser already does all of it
Here's the part that makes the upload gratuitous: every one of these operations is built into the browser. Formatting and validating JSON is `JSON.parse` and `JSON.stringify`. Base64 is `atob` and `btoa`. URL encoding is `encodeURIComponent`. Hashing is the Web Crypto API — `crypto.subtle.digest` computes SHA-256 and friends natively. UUIDs come from `crypto.randomUUID`. Decoding a JWT is just splitting on dots and Base64-decoding two segments. None of it requires a round trip. The server was never doing anything your own machine couldn't.
What we built, and what it deliberately doesn't do
So MetaMarshal's utilities run entirely in your browser. The JSON formatter validates and pretty-prints or minifies, and points at the exact character where a syntax error is. Base64 and URL tools encode and decode with correct UTF-8 handling. The hash generator uses Web Crypto. The JWT decoder shows the header and payload — and pointedly stops there: it does not verify the signature, because verifying needs the signing key, and we're never going to ask you to paste that anywhere. Decoding a token to read its claims is safe precisely because it happens locally and nothing is transmitted.
Check it yourself in a minute
This is the good kind of claim, because you can test it. Open DevTools, switch to the Network tab, then paste something into any of the tools and run it. You'll see no request carrying your data — the transform happens and nothing leaves. Do the same on a tool that uploads and you'll watch the request go out. The tools live at /utilities; the verification takes about as long as reading this sentence.