DEV Community: ToolsMatic The latest articles on DEV Community by ToolsMatic (@toolsmatic). https://dev.to/toolsmatic https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3908449%2F94f592fb-7e8f-4fdf-a75f-7305c833538c.png DEV Community: ToolsMatic https://dev.to/toolsmatic en Stop using basic JSON formatters. I built one that actually fixes your errors. ToolsMatic Sat, 02 May 2026 05:29:19 +0000 https://dev.to/toolsmatic/stop-using-basic-json-formatters-i-built-one-that-actually-fixes-your-errors-567i https://dev.to/toolsmatic/stop-using-basic-json-formatters-i-built-one-that-actually-fixes-your-errors-567i <p>If you are a developer, you probably deal with JSON every single day. And if you are like me, you probably have a bookmark to some random "JSON Formatter Online" site from 2014.</p> <p>You paste your payload, click "Format", and... </p> <p><code>Error: Parse error on line 42: ... "status": "active", } ... Expecting 'STRING', got '}'</code></p> <p>Because of one tiny <strong>trailing comma</strong>, the tool refuses to work. Now you have to manually hunt down the error, fix it, and try again. Oh, and you just pasted a production API response containing user data into a random website that probably logged it.</p> <p>I got so frustrated with this workflow that I decided to build <strong><a href="https://toolsmatic.me/tools/json-formatter.html" rel="noopener noreferrer">ToolsMatic JSON Formatter Pro</a></strong>--a 100% free, client-side tool that actually solves developer pain points.</p> <p>Here are 8 features I built into it that make it the last JSON tool you'll ever need.</p> <h3> 1. Auto-Repair Invalid JSON </h3> <p>Instead of throwing a useless error when your JSON is slightly malformed, ToolsMatic includes an <strong>Auto-Repair</strong> button. <br> If your payload has trailing commas, single quotes instead of double quotes, or unquoted keys ({ name: "John" }), clicking Auto-Repair will automatically normalize and fix the syntax for you, saving you from hunting down typos in a 5,000-line payload.</p> <h3> 2. Handling Massive 100MB Files Without Crashing </h3> <p>Most browser-based JSON tools completely freeze if you paste anything larger than 5MB. I built ToolsMatic to handle massive database dumps and logging exports. It supports <strong>streaming uploads and downloads up to 100MB</strong>, so you can format and analyze massive payloads without crashing your browser tab.</p> <h3> 3. The JSON Path Finder </h3> <p>Have you ever stared at a massive API response in your browser, found the exact value you need, and then spent 2 minutes trying to figure out the exact dot-notation path to extract it in your code?</p> <p>In ToolsMatic, you can switch to <strong>Tree View</strong>. When you find the value you want, simply <strong>click it</strong>. <br> The tool will automatically copy the exact path to your clipboard (e.g., data.users[3].profile.avatar_url). It's a massive time-saver when writing frontend data-fetching logic.</p> <h3> 4. Native JSON Schema Validation </h3> <p>If you are working with strict APIs, you can switch to the "Schema" mode, paste your JSON Schema, and instantly validate your payload against it. It gives you detailed error messages with exact field locations, making it incredibly easy to ensure your payloads match your OpenAPI/Swagger specs.</p> <h3> 5. Real-Time Regex Search </h3> <p>When you are looking for specific values in a 20,000-line JSON file, standard Ctrl+F doesn't always cut it. ToolsMatic includes a built-in search bar that supports <strong>Regex patterns</strong>, highlighting matches in real-time as you type through massive nested structures.</p> <h3> 6. Side-by-Side Compare Mode </h3> <p>Trying to figure out what changed between two API responses or config files? Instead of dropping them into a generic text diff tool, ToolsMatic has a built-in JSON Compare Mode. It formats both payloads and highlights the exact structural differences, added keys, and changed values. </p> <h3> 7. Sort Keys Alphabetically </h3> <p>Sometimes you just need to normalize data before diffing it or saving a configuration file. With one click, you can sort every single key in the entire JSON tree alphabetically, at every depth level. </p> <h3> 8. 100% Privacy (Zero Server Uploads) </h3> <p>This is the most important part. When we debug API responses, they often contain sensitive PII, Bearer Tokens, or proprietary config structures. </p> <p><strong>ToolsMatic does not have a backend.</strong> The formatting, minification, schema validation, and tree generation all happen entirely inside your browser using Vanilla JavaScript. Once the page loads, you can turn off your Wi-Fi and the tool will still work perfectly. Your data never leaves your machine.</p> <h3> Try it out! </h3> <p>It's completely free, has no ads covering the editor, requires no login, and is packed with keyboard shortcuts (Ctrl+Enter to format, Ctrl+M to minify). </p> <p>You can try it here: <strong><a href="https://toolsmatic.me/tools/json-formatter.html" rel="noopener noreferrer">ToolsMatic JSON Formatter</a></strong></p> <p>I built this to scratch my own itch, but I'd love to hear what features you think are missing! What is the most annoying thing about working with JSON for you? Let me know in the comments!</p> json webdev tools javascript How I built a zero-dependency, 100% client-side JWT Verifier using the Web Crypto API ToolsMatic Sat, 02 May 2026 05:16:37 +0000 https://dev.to/toolsmatic/how-i-built-a-zero-dependency-100-client-side-jwt-verifier-using-the-web-crypto-api-477a https://dev.to/toolsmatic/how-i-built-a-zero-dependency-100-client-side-jwt-verifier-using-the-web-crypto-api-477a <p>JSON Web Tokens (JWTs) are everywhere. Whether you're debugging an OAuth flow, a rogue microservice, or a broken single-page application, inspecting a JWT is a daily task for most developers. </p> <p>But there's a massive, glaring problem with how we usually do it: <strong>We paste production tokens into random third-party websites.</strong></p> <p>Many online JWT decoders send your token to their backend to parse or verify it. If that token contains sensitive claims, PII, or internal routing data - and if it hasn't expired - you've just leaked it. </p> <p>I was tired of wondering if a random tool was logging my tokens, so I decided to build a <strong><a href="https://toolsmatic.me/tools/jwt-inspector.html" rel="noopener noreferrer">privacy-first JWT Inspector</a></strong> for my tool hub, ToolsMatic. </p> <p>The goal? <strong>Zero backend. Zero dependencies. 100% client-side processing.</strong> </p> <p>Here's how I built it using nothing but Vanilla JavaScript and the native Web Crypto API.</p> <h3> Step 1: Safely Decoding Base64URL in the Browser </h3> <p>A JWT is just three strings separated by dots (<code>header.payload.signature</code>), encoded in Base64URL. </p> <p>The first challenge is that the browser's native <code>atob()</code> function only understands standard Base64, not Base64URL (which swaps <code>+</code> and <code>/</code> for <code>-</code> and <code>_</code>, and removes the <code>=</code> padding). </p> <p>To decode the token without a library, we have to normalize the string back to standard Base64 first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">b64urlDecodeToString</span> <span class="o">=</span> <span class="p">(</span><span class="nx">part</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// 1. Swap characters back to standard Base64</span> <span class="kd">const</span> <span class="nx">norm</span> <span class="o">=</span> <span class="nx">part</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/-/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">+</span><span class="dl">'</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/_/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// 2. Add back the missing '=' padding</span> <span class="kd">const</span> <span class="nx">pad</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">=</span><span class="dl">'</span><span class="p">.</span><span class="nf">repeat</span><span class="p">((</span><span class="mi">4</span> <span class="o">-</span> <span class="p">(</span><span class="nx">norm</span><span class="p">.</span><span class="nx">length</span> <span class="o">%</span> <span class="mi">4</span><span class="p">))</span> <span class="o">%</span> <span class="mi">4</span><span class="p">);</span> <span class="c1">// 3. Decode to binary, then convert to a string</span> <span class="kd">const</span> <span class="nx">str</span> <span class="o">=</span> <span class="nf">atob</span><span class="p">(</span><span class="nx">norm</span> <span class="o">+</span> <span class="nx">pad</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bytes</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">str</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">str</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span> <span class="o">+=</span> <span class="mi">1</span><span class="p">)</span> <span class="nx">bytes</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span> <span class="o">=</span> <span class="nx">str</span><span class="p">.</span><span class="nf">charCodeAt</span><span class="p">(</span><span class="nx">i</span><span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">TextDecoder</span><span class="p">(</span><span class="dl">'</span><span class="s1">utf-8</span><span class="dl">'</span><span class="p">).</span><span class="nf">decode</span><span class="p">(</span><span class="nx">bytes</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// Malformed padding or characters</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>With this, decoding the <code>header</code> and <code>payload</code> is as simple as splitting the token by <code>.</code> and running <code>JSON.parse()</code>.</p> <h3> Step 2: The Hard Part - Cryptographic Verification </h3> <p>Decoding the JSON is easy, but a JWT is useless if you can't verify its cryptographic signature. </p> <p>Most people reach for the <code>jsonwebtoken</code> npm package for this, but that requires a Node.js backend. Instead, we can use the browser's native <code>window.crypto.subtle</code> API.</p> <h4> Verifying HMAC (HS256) </h4> <p>HMAC algorithms (like <code>HS256</code>) use a shared secret. We need to import the secret key as raw bytes, and then calculate the signature over the <code>header.payload</code> string to see if it matches the token's signature.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// The data we are verifying is the first two parts of the token</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">parts</span><span class="p">[</span><span class="mi">0</span><span class="p">]}</span><span class="s2">.</span><span class="p">${</span><span class="nx">parts</span><span class="p">[</span><span class="mi">1</span><span class="p">]}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">secretMaterial</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">my-super-secret-key</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// 1. Import the raw secret into the Web Crypto API</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">importKey</span><span class="p">(</span> <span class="dl">'</span><span class="s1">raw</span><span class="dl">'</span><span class="p">,</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="nx">secretMaterial</span><span class="p">),</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">HMAC</span><span class="dl">'</span><span class="p">,</span> <span class="na">hash</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SHA-256</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="kc">false</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">sign</span><span class="dl">'</span><span class="p">]</span> <span class="p">);</span> <span class="c1">// 2. Generate a signature for our data using the secret</span> <span class="kd">const</span> <span class="nx">sig</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="dl">'</span><span class="s1">HMAC</span><span class="dl">'</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="nx">data</span><span class="p">);</span> <span class="c1">// 3. Encode our generated signature and compare it!</span> <span class="kd">const</span> <span class="nx">calc</span> <span class="o">=</span> <span class="nf">b64urlEncode</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">sig</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="p">(</span><span class="nx">calc</span> <span class="o">===</span> <span class="nx">parts</span><span class="p">[</span><span class="mi">2</span><span class="p">]);</span> </code></pre> </div> <h4> Verifying RSA (RS256) </h4> <p>RSA algorithms (like <code>RS256</code>) are more complex because they use a public/private key pair. You verify the token using a PEM-formatted Public Key.</p> <p>The Web Crypto API requires us to strip out the <code>-----BEGIN PUBLIC KEY-----</code> headers, convert the base64 payload into an <code>ArrayBuffer</code>, and import it as an <code>spki</code> key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// 1. Clean the PEM string and convert to ArrayBuffer</span> <span class="kd">const</span> <span class="nx">clean</span> <span class="o">=</span> <span class="nx">pem</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/-----BEGIN PUBLIC KEY-----|-----END PUBLIC KEY-----|</span><span class="se">\s</span><span class="sr">+/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">raw</span> <span class="o">=</span> <span class="nf">atob</span><span class="p">(</span><span class="nx">clean</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">keyBuffer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">raw</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">raw</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="nx">keyBuffer</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span> <span class="o">=</span> <span class="nx">raw</span><span class="p">.</span><span class="nf">charCodeAt</span><span class="p">(</span><span class="nx">i</span><span class="p">);</span> <span class="c1">// 2. Import the Public Key</span> <span class="kd">const</span> <span class="nx">publicKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">importKey</span><span class="p">(</span> <span class="dl">'</span><span class="s1">spki</span><span class="dl">'</span><span class="p">,</span> <span class="nx">keyBuffer</span><span class="p">.</span><span class="nx">buffer</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RSASSA-PKCS1-v1_5</span><span class="dl">'</span><span class="p">,</span> <span class="na">hash</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SHA-256</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="kc">false</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">verify</span><span class="dl">'</span><span class="p">]</span> <span class="p">);</span> <span class="c1">// 3. Verify the signature against the data</span> <span class="kd">const</span> <span class="nx">sigBytes</span> <span class="o">=</span> <span class="nf">b64urlDecode</span><span class="p">(</span><span class="nx">parts</span><span class="p">[</span><span class="mi">2</span><span class="p">]);</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span> <span class="dl">'</span><span class="s1">RSASSA-PKCS1-v1_5</span><span class="dl">'</span><span class="p">,</span> <span class="nx">publicKey</span><span class="p">,</span> <span class="nx">sigBytes</span><span class="p">,</span> <span class="nx">data</span> <span class="p">);</span> </code></pre> </div> <h3> Step 3: Accounting for Clock Skew </h3> <p>One of the most frustrating JWT bugs happens when your authorization server and your API server's clocks are out of sync by a few seconds. A token might be rejected as "expired" (<code>exp</code>) or "not valid yet" (<code>nbf</code>).</p> <p>To make this a <em>professional</em> debugging tool, I added a manual Clock Skew slider. When validating claims, the tool simply offsets the current time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">nowSec</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">skew</span> <span class="o">=</span> <span class="mi">60</span><span class="p">;</span> <span class="c1">// Allow 60 seconds of drift</span> <span class="k">if </span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nx">exp</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nx">exp</span> <span class="o">+</span> <span class="nx">skew</span> <span class="o">&lt;</span> <span class="nx">nowSec</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Expired </span><span class="p">${</span><span class="nb">Math</span><span class="p">.</span><span class="nf">round</span><span class="p">(</span><span class="nx">nowSec</span> <span class="o">-</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">exp</span><span class="p">)}</span><span class="s2">s ago`</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> The Result </h3> <p>By combining basic base64url parsing with the native <code>crypto.subtle</code> API, I was able to build a robust JWT inspector that supports <code>HS256/384/512</code>, <code>RS256/384/512</code>, and claim validation - all without sending a single byte over the network. </p> <p>If you're debugging tokens and want to make sure your data stays on your machine, you can use the live tool here: <strong><a href="https://toolsmatic.me/tools/jwt-inspector.html" rel="noopener noreferrer">ToolsMatic JWT Inspector</a></strong>.</p> <p><em>Have you ever accidentally leaked a token to a debugging tool? Let me know in the comments!</em></p> javascript webdev tutorial security