DEV Community: crypto plato

Cron Expressions: a Cron Expressions tool that never sees your data

crypto plato — Wed, 03 Jun 2026 20:05:43 +0000

Most online Cron Expressions tools quietly send what you paste to a server. That's
fine until it isn't — config blobs, tokens, and API responses are exactly the
kind of thing you don't want leaving your machine.

So Cron Expressions takes the opposite approach: it's a single, self-contained page
that runs entirely in your browser.

How it works

Cron Expressions is 100% in your browser — nothing is uploaded to a server. There's no backend and no API call for the core
function. You can verify it yourself:

Open the page.
Open DevTools → Network.
Use the tool.
Watch the Network tab stay empty.

The whole thing is one HTML file — View Source shows the JS that runs
everything. It can't leak your data because it never receives it.

What it does

Parse Unix, GitHub Actions, Vercel, AWS, Cloudflare cron.

Fast, single-purpose, no signup
Works offline (save the page)
No tracking beyond a privacy-friendly analytics beacon

Why browser-side matters

The convenient online dev tools we paste into are an under-appreciated
supply-chain risk. The fix isn't a warning banner — it's architecture: if the
tool runs on your machine, there's no breach to have. That's the principle
behind the whole platotools.com set (JSON, JWT,
hashing, encoding, regex, diff) — all client-side, all single-purpose.

Try it: https://cron.platotools.com/

If you hit an edge case, I'd genuinely like the bug report.

JWT Decoder: a jwt decoder tool that never sees your data

crypto plato — Tue, 02 Jun 2026 06:50:00 +0000

Most online jwt decoder tools quietly send what you paste to a server. That's
fine until it isn't — config blobs, tokens, and API responses are exactly the
kind of thing you don't want leaving your machine.

So JWT Decoder takes the opposite approach: it's a single, self-contained page
that runs entirely in your browser.

How it works

JWT Decoder is 100% in your browser — nothing is uploaded to a server. There's no backend and no API call for the core
function. You can verify it yourself:

Open the page.
Open DevTools → Network.
Use the tool.
Watch the Network tab stay empty.

The whole thing is one HTML file — View Source shows the JS that runs
everything. It can't leak your data because it never receives it.

What it does

Decode JWT header, payload, and claims — expiry countdown, claim notes, 100% browser-side.

Fast, single-purpose, no signup
Works offline (save the page)
No tracking beyond a privacy-friendly analytics beacon

Why browser-side matters

Try it: https://jwt.platotools.com/

If you hit an edge case, I'd genuinely like the bug report.

I built a JSON formatter that physically cannot see your data

crypto plato — Tue, 02 Jun 2026 05:37:51 +0000

In November 2025, watchTowr disclosed that two of the most-used online JSON tools — jsonformatter.org and codebeautify.org — had been quietly exposing 80,000+ pasted JSON blobs through their "Save" feature for roughly five years. The leaked data included AWS keys, GitHub personal access tokens, Active Directory credentials, and database connection strings.

If you've ever pasted a config or an API response into one of those sites to pretty-print it, that data may have been publicly retrievable.

Both sites have since re-enabled "Save" with a "public by default" warning. That's a disclosure, not a fix.

So I built the version that removes the entire class of problem: a JSON formatter with no server.

The core idea: there's nowhere for your data to go

json.platotools.com is a single, self-contained HTML file. All formatting, validation, diffing, and redaction happen in your browser's JavaScript engine. There is no backend, no API call, no telemetry on what you paste.

You don't have to take my word for it:

Open the page.
Open DevTools → Network tab.
Paste a giant JSON blob and format it.
Watch the Network tab stay empty.

No requests fire when you paste. The tool can't leak your data because it never receives it. View Source shows the entire program.

What it does beyond pretty-printing

Validator with a collapsible type-tree and JSON Schema inference
Diff — line-level and semantic (ignore key order)
Secret redactor — detects ~18 credential patterns (AWS, GitHub PATs, Stripe, OpenAI/Anthropic keys, JWTs, etc.) and replaces them with [REDACTED:TYPE] markers, locally
JSON ↔ YAML toggle
Dark mode, mobile down to 360px, keyboard shortcuts

The engineering constraints

12 KB gzipped. No frameworks, no build step, no external requests.
One HTML file you can save and run offline.
The redactor's regex bank is in the page source — if you find a secret pattern it misses, you can inspect exactly what it checks for (and I'd genuinely like the bug report).

Why "no server" is the whole point

The convenient online dev tools we all paste into are an under-appreciated supply-chain risk. The fix isn't "trust us, we added a warning" — it's architecture: if the tool runs entirely on your machine, there's no breach to have.

That principle is the wedge for the rest of the platotools.com tools too (hash, JWT decode, encode/decode, regex, diff) — all browser-side, all single-purpose.

Try it: json.platotools.com

If you spot an edge case the validator or redactor mishandles, I'd love to hear it.