DD
DevDash

Methodology

How DevToolHQ is built, which libraries power each tool, and why nothing you paste ever leaves your device.

Last updated 2026-04-15 · By Aniket Nigam

Every tool runs 100% client-side

Every interactive tool on DevToolHQ performs its work inside your browser tab. When you paste a JWT into the decoder, the parsing happens in JavaScript running on your machine. When you generate an SHA-256 hash, the bytes are hashed in your tab and the result is rendered directly. No input is ever POSTed to an API route, no payload is streamed to an edge function, and there is no server-side computation step anywhere in the hot path.

The fastest way to verify this is to open your browser devtools, switch to the Network tab, clear it, and use any tool. You will see the initial HTML and JavaScript load, static asset requests, and nothing else that corresponds to the data you entered.

How the architecture works

DevToolHQ is a Next.js App Router application. The tool pages are statically rendered at build time so the HTML shell ships with zero server rendering of user input. The interactive UI is a React component tree that hydrates in the browser and handles all input inside client components.

The heavy lifting uses three categories of browser primitives. First, the native Web Crypto API (crypto.subtle) for modern hashing and signing where supported, because it is faster and avoids shipping extra bytes. Second, well-audited open-source libraries for formats the browser does not handle natively. Third, native browser APIs like the URL constructor, TextEncoder, atob/btoa, and JSON.

Libraries used

  • jsrsasign: JWT decoding, signature verification, RSA and EC key handling.
  • crypto-js: legacy hash algorithms (MD5, SHA-1, HMAC variants) where crypto.subtle does not cover them.
  • uuid: v1/v4/v7 identifier generation using cryptographically strong random bytes from crypto.getRandomValues.
  • cron-parser: cron expression validation and next-fire calculations.
  • js-yaml and native JSON for converters.
  • Browser-native URL, URLSearchParams, and Intl for URL parsing and number formatting.

The dependency list is kept short on purpose. Fewer libraries means smaller bundles, easier audits, and fewer moving parts when a security advisory lands.

Privacy statement

Data you enter into any tool stays on your device. There is no telemetry that includes tool input, no server log of what you processed, and no analytics event attached to the content of what you pasted. The only network traffic generated by using a tool is the initial page load and static assets.

DevToolHQ runs ads on a subset of pages to keep the tools free. Ad networks see the URL you are on and standard browser information, which is how the advertising web works everywhere. They never receive the contents of your tool input, because that content is never sent to any server in the first place.

Update cadence

Bug fixes and small improvements ship roughly every week. New tools are added about once a month, driven by what I actually need in my day-to-day work or by specific requests from readers. Each deploy is a full rebuild that regenerates every static page, so tool pages always reflect the latest tool code.

Questions or corrections

If anything on this page is inaccurate, or you want to know which library a specific tool uses, email hello@devtoolhq.com. Technical feedback is welcome and usually leads to a fix within a week.

About the authorBrowse all tools
Want API access + no ads? Pro coming soon.