Last week I was debugging a webhook integration — decoding JWTs, converting timestamps, diffing JSON payloads, hashing HMAC signatures. Each task meant opening a new browser tab, pasting data into some random website, and hoping I wasn't leaking secrets to a third party.
Then I remembered: my AI assistant already has all these tools built in.
Here's how MCP developer tools turned a tab-heavy debugging session into a conversation.
The Setup (2 minutes)
MCP (Model Context Protocol) lets AI assistants call local tools. No browser, no copy-paste, no data leaving your machine.
I use mcp-devutils — 44 developer utilities that run locally via npx. Setup for Claude Desktop:
{
"mcpServers": {
"devutils": {
"command": "npx",
"args": ["-y", "mcp-devutils"]
}
}
}
Works the same in Cursor (.cursor/mcp.json), Windsurf (~/.codeium/windsurf/mcp_config.json), and VS Code (.vscode/mcp.json).
Restart your editor. Done.
The Workflow: Debugging a Webhook
Step 1: Decode the JWT
A webhook sends a JWT in the Authorization header. Normally I'd go to jwt.io, paste the token, squint at the payload.
With MCP tools, I just paste the token into the chat:
"Decode this JWT: eyJhbGciOiJIUzI1NiIs..."
The jwt_decode tool splits it into header and payload instantly — algorithm, issuer, expiry, claims — all right there. No browser tab. No pasting secrets into a website.
Step 2: Check the Timestamp
The JWT has an exp claim: 1711382400. Is this expired? When does it expire?
"Convert this timestamp: 1711382400"
The timestamp tool converts it to 2024-03-25T16:00:00Z and tells me it's in the past. Expired. Mystery solved — the webhook was using a stale token.
Step 3: Verify the HMAC Signature
The webhook includes an X-Signature header for payload verification. I need to compute HMAC-SHA256 of the request body with my secret.
"Generate HMAC-SHA256 of this payload with key 'webhook_secret_123': {\"event\":\"payment.completed\"...}"
The hmac tool computes it locally. I compare it with the header value. Match confirmed — the payload wasn't tampered with.
Step 4: Diff the Expected vs Actual Payload
The webhook payload doesn't match what the docs say. Instead of eyeballing two JSON blobs, I ask:
"Diff these two JSON objects: [expected] vs [actual]"
The json_diff tool shows exactly what changed: a field was renamed from amount to total, and a nested metadata object was added. Two-second answer instead of a five-minute squint.
Step 5: Format the SQL Query
I need to check the database for the payment record. The query is a one-liner mess from the logs:
"Format this SQL: SELECT p.id, p.amount, u.email FROM payments p JOIN users u ON p.user_id = u.id WHERE p.webhook_id = 'wh_abc123' AND p.status = 'completed'"
The sql_format tool returns it properly indented and readable. Copy, paste into my database client.
Step 6: Generate a Test UUID
I need to send a test webhook back. Need a fresh idempotency key:
"Generate a UUID"
Done. uuid tool returns a v4 UUID instantly.
What Changed
Before MCP tools, this debugging session involved:
- 6+ browser tabs open
- Copy-pasting sensitive data (JWTs, API keys) into random websites
- Context-switching between editor and browser constantly
- ~30 minutes of tab-juggling overhead
After: everything happened in one conversation window. The tools run locally — no data leaves your machine. The AI assistant orchestrates the tools based on what you ask, so you describe the problem in plain English instead of remembering which website does what.
The Full Toolkit
mcp-devutils includes 44 tools total. The 15 I use most for API work:
Free (always available):
-
jwt_decode— decode JWT tokens -
hash— MD5/SHA1/SHA256 hashing -
hmac— HMAC signature generation -
timestamp— Unix/ISO timestamp conversion -
base64— encode/decode -
json_format— pretty-print or minify -
uuid— generate UUIDs -
url_encode— URL encode/decode -
regex_test— test patterns with match details -
cron_explain— understand cron schedules
Pro ($5 one-time unlock):
-
json_diff— compare JSON objects -
jwt_create— create test JWTs -
sql_format— format SQL queries -
csv_json— convert between CSV and JSON -
string_escape— escape for JSON/SQL/shell
Try it: npx mcp-devutils — 15 tools free forever, all 29 pro tools get 3 free trials each.
Why This Matters
The real win isn't speed — it's security. Every time you paste a JWT into jwt.io or a hash into an online tool, that data potentially leaves your control. MCP tools run locally. Your secrets stay on your machine.
The second win is flow. Instead of "let me open a new tab, find the right tool, paste the data, read the result, switch back to my editor" — you just ask. The AI figures out which tool to call.
If you're doing API development and you haven't tried MCP tools yet, the setup takes 2 minutes. Give it a shot.
Top comments (0)