JWT, Regex, Base64: The Developer Toolkit That Runs in Your Browser
Decode JWTs without exposing tokens to third-party sites, test regex patterns with real-time highlighting, encode/decode Base64 — plus JSON formatting, SVG optimization, and CSV-to-JSON conversion. All client-side.
In this article
Every developer has a collection of bookmarked utility sites: jwt.io for token decoding, regex101 for pattern testing, some random Base64 site that may or may not be logging your payloads. The problem is trust. You are pasting production tokens, API responses, and encoded credentials into sites you know nothing about.
InstantTools ships six developer utilities that run entirely in your browser tab. No network requests. No server-side processing. Open DevTools, watch the Network tab — nothing leaves your machine. Here is what each one does and why the local-execution guarantee matters.
JWT Decoder
What It Does
Paste a JSON Web Token. The tool splits it into header, payload, and signature, decodes Base64url, formats the JSON, and highlights key fields: exp (with a human-readable expiry time and "expired" / "valid for 3h 22m" badge), iat, sub, iss, and any custom claims.
Why Client-Side Matters Here
JWTs are bearer tokens. Anyone who has the token can impersonate the user until it expires. Pasting a production JWT into a server-side decoder means you have just sent a valid session token to a third party. If that site is compromised, logging requests, or simply saving tokens "for debugging," your user's session is exposed.
Our decoder never sends the token anywhere. It parses the Base64url segments in JavaScript and renders the result in the DOM. The token stays in your browser's memory and is discarded when you navigate away.
Pro Tips
- Check the
algfield in the header. If it saysnone, someone is testing whether your backend validates signatures. That is a security issue. - The
expfield is a Unix timestamp. The decoder shows both the raw value and a countdown so you can tell at a glance whether a token is still valid. - Copy the decoded payload as formatted JSON for bug reports or documentation.
Regex Workbench
What It Does
Type a regex pattern in the top field. Paste test strings below. Matches highlight in real-time as you type — no "Run" button, no page reload. The tool shows:
- All matches with group captures
- Named capture groups (
(?<name>...)) displayed by name - A match count and performance indicator (flags patterns that would catastrophically backtrack)
- Common pattern library — email, URL, IPv4/6, date formats — available as one-click inserts
Why It Beats regex101 for Quick Checks
regex101 is excellent for deep regex work. But for the common case — "does this pattern match what I think it does?" — a zero-latency local tool with real-time highlighting is faster. There is no account to create, no save-to-library flow, no community features you do not need. Type pattern, paste text, see matches.
The backtracking detector is the standout feature. Paste a pattern like (a+)+b against a string of aaaaaaaaaaac and the tool warns you before you deploy a regex that will freeze your application.
When to Use It
- Validating input patterns before adding them to form validation
- Testing log-parsing regex against sample log lines
- Debugging why a pattern matches too much or too little
- Quick reference for regex syntax (the tool includes a cheatsheet sidebar)
Base64 Encoder/Decoder
What It Does
Encode text or binary data to Base64, or decode Base64 back to plaintext. Supports:
- Standard Base64 (RFC 4648)
- URL-safe Base64 (replaces
+/with-_) - File-to-Base64 (drag a file, get its Base64 representation — useful for embedding images in CSS or testing data URIs)
- Base64-to-file (paste a Base64 string, download the decoded file)
The Security Angle
Base64 is encoding, not encryption. But developers routinely paste Base64-encoded API keys, tokens, and credentials into online decoders to inspect them. If that decoder runs server-side, the decoded credential has now traversed the internet in plaintext. Our tool decodes in the browser — the credential never leaves your machine.
JSON Formatter
Paste minified or malformed JSON. The tool pretty-prints it with syntax highlighting, collapsible nodes, line numbers, and a tree view. It validates on paste and shows precise error locations for malformed input — "Expected comma at line 14, column 23" — instead of the generic "Invalid JSON" that most tools produce.
Features that save time:
- Path copying — click any key to copy its JSONPath (
$.data.users[0].email) - Diff mode — paste two JSON objects and see what changed
- Minify toggle — go from pretty-printed back to single-line for embedding
SVG Optimizer
Paste SVG markup or drag an SVG file. The tool runs SVGO-equivalent optimization: removes metadata, editor artifacts, empty groups, redundant attributes, and unnecessary precision. Typical savings: 20–60% file size reduction with zero visual change.
The before/after preview shows both versions side-by-side at multiple zoom levels so you can verify nothing shifted. A diff view highlights exactly which nodes and attributes were removed.
CSV to JSON Converter
Drag a CSV file or paste comma-separated text. The tool converts it to JSON — either an array of objects (using the header row as keys) or an array of arrays. Handles:
- Quoted fields with embedded commas
- Different delimiters (tab, semicolon, pipe) with auto-detection
- Large files (streams the parse, does not load the entire file into memory at once)
- Type inference — numbers and booleans are converted from strings automatically, with an option to keep everything as strings
The output is downloadable as a .json file or copyable with proper formatting.
The Common Thread
Every tool in this set follows the same principle: your data stays in your browser. For developers, this is not a nice-to-have — it is a security requirement. Tokens, credentials, API responses, and configuration data should never leave your machine for a simple format-or-decode operation. These tools make that guarantee by design, not by policy.
We proved the design claim the way a developer would want it proved: DevTools open, network tab recording, a marker string in the payload. The request logs — including for the JWT decoder specifically — are published in the Privacy Audit.
The Fastest Way In: Paste It
One more workflow note, because it saves a real amount of time: you don't need to find the right tool first. Press ⌘K anywhere on the site and paste whatever you're holding — a JWT, a wall of unformatted JSON, a cron expression, a hex color, a CSV block. Smart Paste recognizes the content type and offers the matching tool with your data already loaded and processed: paste a token, land on a decoded token. For content that keyword search can't classify, the palette falls back to on-device AI routing. The clipboard-to-answer path is usually two keystrokes and an Enter.