The Moment I Froze
Pasting a JWT token into an online decoder. Throwing API response JSON into a formatter. Diffing code with an online tool.
If you're a developer, you probably do this every day.
I did too. One day, while decoding a JWT as usual, it hit me:
"This token contains the user's email and role info… where did it just get sent?"
I opened DevTools' Network tab. A POST request had fired. My input data was being sent to a server.
No malicious intent, obviously. Server-side processing is just how it's designed. But when you think about it, it's unsettling.
This experience led me to build PureMark — a developer tool suite that runs entirely in the browser. JSON / Base64 / URL / Diff / Timestamp / JWT — none of the six tools ever send your data externally.
It's Already Happening — Data Leaks Via Online Tools
"Am I overthinking this?" you might wonder. But incidents have already occurred.
80,000 AWS Keys Leaked (November 2025)
Security firm watchTowr Labs discovered that over 80,000 AWS keys, passwords, and API secrets had leaked from jsonformatter.org and codebeautify.org. Five years of stored data, over 5GB. Government agencies, banks, telecoms, and aerospace organizations were affected.
Developers had pasted data into these sites for JSON formatting and validation, and that data was stored on servers. It was provided as a "save" feature, but most users had no idea their credentials were being retained.
I also covered this in a previous article: JSON Formatter Dev Log: Zero-Click Formatting and Clipboard API Pitfalls
Samsung ChatGPT Incident (March 2023)
Samsung engineers input confidential source code and meeting transcripts into ChatGPT, leaking information externally. Three leaks occurred within just one month, forcing Samsung to ban internal ChatGPT usage.
This isn't about online tools specifically, but the risk of sending data to external services has the same structure.
The Structural Problem
I'm not here to criticize. Many online developer tools use server-side processing because it's easier to implement and handles complex operations well. It's a rational choice.
The problem is that users aren't aware of it.
- JWT tokens contain claims like
sub(user ID),email,role - API response JSON may contain customer data or internal IDs
- Code pasted into diff tools might be unreleased feature implementations
Even if a privacy policy says "we don't store your data," risk isn't zero the moment data is transmitted.
Everything Could Run Client-Side
With PureMark, all six tools run entirely in the browser. Not a single line of server-side code.
Honestly, I first thought "is that even possible?" But when I investigated, browsers' standard APIs can do surprisingly much.
JSON Formatting: Done in 2 Lines
const parsed = JSON.parse(raw);
const formatted = JSON.stringify(parsed, null, 2);
Validation, formatting, minification — all done with JSON.parse + JSON.stringify. Absolutely no need to send to a server.
Base64: Browser Native API
const encoded = btoa(input); // encode
const decoded = atob(encoded); // decode
Unicode support required combining with encodeURIComponent, but it still completes entirely in the browser.
JWT: Just Base64 Decode
JWT structure is three parts separated by dots: header.payload.signature. Header and payload are Base64URL-encoded JSON, so decoding reveals the claims.
const [header, payload] = token.split('.');
const claims = JSON.parse(atob(payload.replace(/-/g, '+').replace(/_/g, '/')));
Secret key signature verification isn't done on the frontend anyway (you can't expose the secret key in the browser). Decoding alone requires no server.
Try using PureMark, then open DevTools' Network tab. Besides GA4 beacons, you'll see zero external requests.
Try it: json.puremark.app / jwt.puremark.app
Diff: 130-Line Custom Implementation
This was the one exception where "2 lines with standard APIs" didn't cut it.
Displaying text differences requires the Myers diff algorithm. An external library would make it instant, but I wanted zero external dependencies. The result: about 130 lines of TypeScript.
What Went Wrong Without a Server
Client-side completion sounds ideal, but it comes with significant constraints. Here are the failures.
Myers Diff Off-by-One Bug
My custom Myers diff implementation produced a bug where highlight positions shifted on specific patterns.
The cause: an index calculation in backtrack processing used k where it should have been k - 1. A classic off-by-one error.
Tests passed. But it broke on edge cases.
I noticed the day after deployment and broke into a cold sweat. External libraries offer battle-tested code, but custom implementations carry this kind of risk. I still chose zero external dependencies to minimize bundle size and eliminate license risks.
2000-Character URL Limit
No server means no database to store shortened URLs.
My solution: a "recipe URL" approach. Base64-encode tool input data and embed it in the URL hash.
https://json.puremark.app/#d=eyJhYmMiOiJkZWYifQ&m=format
This restores tool state from the URL alone. No server needed.
...or so I thought, until slightly longer JSON exceeded 2000 characters. The browser URL length limit hits, and the share button grays out.
For now, I've accepted this limitation. Long data sharing falls back to a file download feature. A server could solve it by storing URL shortener keys in a DB, but that violates the "don't send data" principle. It was a trade-off.
SEO Disadvantage
SPAs can't do server-side rendering (SSR), which hurts search engine indexing.
I serve static HTML via Cloudflare Pages with pre-generated OGP images and meta tags. Still, compared to SSR frameworks like Next.js, SEO remains a handicap.
Why I Still Choose Client-Side
Constraints exist. But what you gain outweighs them.
| Aspect | With Server | PureMark (No Server) |
|---|---|---|
| Where data goes | Sent to server | Never leaves browser |
| Monthly server cost | $20+ minimum | $0 (Cloudflare Pages free tier) |
| Offline support | Not possible | Works as PWA |
| Response speed | Network round-trip | Instant processing |
| User verifiability | Impossible if source is closed | Checkable via DevTools Network tab |
User trust > SEO score.
That was my conclusion after building 6 tools in 2 weeks.
Before / After
| Before | After |
|---|---|
| "Is this safe...?" every time pasting JWT into an online tool | Can verify with your own eyes that no requests are firing in Network tab |
| Hesitating to paste customer data into JSON formatters | No hesitation when data never leaves the browser |
| Afraid to paste unreleased code into diff tools | Don't even think about it with local processing |
| Opening different sites for each tool | One-click switching via PureMark's navbar |
Data pasted into developer tools is more sensitive than you think. Once I realized that, I started paying attention to what's happening behind the tools I use.
PureMark was born from that realization — a tool I myself can use with peace of mind.
Try it: puremark.app — JSON / Base64 / URL / Diff / Timestamp / JWT, all browser-complete.
Related Articles
- JSON Formatter Dev Log: Zero-Click Formatting and Clipboard API Pitfalls
- I Built a JWT Decoder and atob() Didn't Work — Half a Day Lost
- Implementing Text Diff Without Libraries — Myers Diff 130-Line Pitfall
Top comments (0)