Security and debugging tools
Inspect, verify and sanitize sensitive API debugging data locally in your browser. Use these tools before sharing HAR files, debugging webhook signatures, decoding JWTs or inspecting certificates — the data never leaves your machine.
Which security/debugging tool should I use?
HAR Sanitizer
Redact cookies, Authorization headers, tokens and API keys from HAR files before sharing them with vendor support.
Sanitize HAR files before sharing →Webhook Signature Verifier
Debug Stripe, GitHub, Slack or custom HMAC webhook signatures by recomputing the signature from payload and secret.
Verify webhook signatures →JWT Decoder
Inspect JWT header and payload claims — issuer, audience, expiry and custom claims — without uploading the token.
Decode JWT claims locally →JWK/JWKS/PEM Converter
Convert public keys between JWK, JWKS and PEM formats for backend token validation.
Convert JWK, JWKS and PEM keys →Certificate & PEM Tools
Inspect X.509 certificates, PEM blocks and certificate details such as subject, issuer and expiry.
Inspect X.509 certificates →Secrets Scanner
Scan logs, payloads and config for exposed API keys, tokens and passwords before you share them.
Find secrets in logs and payloads →Common security/debugging problems
- Sanitize browser network logs before sending to vendor support
- Check whether HAR files contain cookies or bearer tokens
- Verify webhook payload signatures
- Decode JWT claims during API debugging
- Convert JWKS keys for backend validation
- Inspect certificate expiration and subject details
Practical guides
- Sanitize a HAR file before sharing it with support
- Does a HAR file contain cookies and tokens?
- Verify a Stripe webhook signature locally
- Verify a GitHub webhook signature locally
FAQ
Should I sanitize a HAR file before sharing it?
Yes. HAR files captured from browser DevTools usually contain cookies, Authorization headers, bearer tokens, API keys and full request bodies. Redact them with the HAR Sanitizer before sending the file to a vendor or support team.
Can a HAR file contain cookies or tokens?
Yes. A HAR is a full record of network traffic, so it can include Cookie and Set-Cookie headers, Authorization headers, bearer and session tokens, API keys in query strings and sensitive payloads. See what a HAR file can contain.
Can I decode a JWT locally?
Yes. The JWT Decoder parses the header and payload claims in your browser so you can inspect issuer, audience, expiry and custom claims without sending the token anywhere.
How do I verify webhook signatures?
Use the Webhook Signature Verifier. Paste the raw payload, the signing secret and the signature header to recompute the HMAC and confirm a Stripe, GitHub, Slack or custom signature matches.
What is the difference between JWK, JWKS and PEM?
A JWK is a single key in JSON form. A JWKS is a JSON set of multiple JWKs, typically served at a /.well-known/jwks.json endpoint. PEM is the Base64 ASCII format used by most backend libraries. The JWK/JWKS/PEM Converter translates a public key between these formats.
Is sensitive data uploaded to a server?
No. Every tool in this cluster runs locally in your browser. HAR files, tokens, keys and certificates are processed in memory and are not sent to a server or logged.
Keep exploring
- JSON and API contract tools — validate schemas, diff responses, build JSON Patch.
- Data cleanup and QA tools — compare CSVs, clean lists, build SQL filters.
- All tools — the full utility catalog.