The privacy problem with online tools
Most “free online tools” are not free. The price is your data. Drop a PDF into a free converter and that file lives on a server you do not control. Paste a JWT into a debugger and the token, with whatever credentials it carries, ends up in a third party log. Type a password into a “strength checker” and now someone else has typed it too. The pattern repeats across every category: image resizers, JSON formatters, regex testers, QR generators. The tool runs on a remote machine, your input gets uploaded, and you trust a privacy policy you never read.
There is a different way to build these tools. Modern browsers can run JavaScript, WebAssembly, the Canvas API, the Web Crypto API and the File API on the client side. A real online tool can be 100% local: open the page, do the work in your tab, close the page. Nothing transmitted, nothing logged, nothing kept. The server only ships the HTML, CSS and JS once. Everything that happens with your text, your image or your token happens on your machine.
This post is a curated list of 60+ tools that follow that rule. Every utility linked below runs entirely in your browser. No account, no upload, no subscription, no tracking on the tool itself. Bookmark the ones you use, share the list, replace the SaaS forms in your tab bar with HTML pages that do the work without seeing it.
What “privacy-first” means in practice
Every tool in this list meets a short set of criteria:
- No upload. Your text, image, file, password or token never leaves the tab. The work happens in JavaScript or WebAssembly running on your device.
- No signup. No email, no account, no captcha, no “get the full version” wall. Open and use.
- No tracking on the tool itself. The tool page does not run third party analytics on the input. Whatever telemetry the site uses is for the page load, not for what you type.
- Open behaviour. The processing logic is auditable: you can open dev tools, watch the network panel and confirm no request leaves your machine. Many of the tools also use well known open source libraries (
marked,turndown,sql-formatter,qrcode, the Web Crypto API). - Works offline. Once the page loads, the tool keeps working with no internet. Useful on a plane or behind a strict firewall.
Privacy-first does not mean fewer features. The list below covers everything from JSON formatting to QR codes to image resizing. The features are the same, the data flow is different.
Basic Text (15 tools)
These are the everyday text utilities: clean up a list, sort lines, count characters, find and replace, strip accents. All of them work on big inputs (lists with thousands of lines) without upload.
- Add Prefix / Suffix. Insert text at the start and end of every line. Useful for SQL IN clauses, bullet lists or comment markers.
- Add / Remove Line Breaks. Collapse text into a single line, or split it into N words per line.
- Remove Duplicate Lines. Keep only the first occurrence of each line.
- Remove Empty Lines. Strip blank lines from a list or paragraph.
- Remove Extra Spaces. Trim leading, trailing or duplicated spaces, your choice.
- Remove Lines Containing. Filter out (or keep) every line that matches a string or regex.
- Sort Text Lines. Sort alphabetically or numerically, ascending or descending.
- Letter Case Converter. UPPER, lower, Title, Sentence, aLtErNaTiNg or iNVERSE.
- Remove Letter Accents. Strip diacritics from any letter, keep the Spanish ñ if you want.
- Find and Replace Text. Literal or regex search and replace, with optional case sensitivity.
- Merge Text Lines. Interleave 2 or 3 lists line by line with a custom separator.
- Text Counter. Live counts for characters, words, sentences, lines and word frequency.
- Delimited Column Extractor. Extract one column from CSV, TSV or any delimited text.
- Gendered Keywords (Spanish). Classify Spanish keywords by gender and number with a heuristic.
- URL List Cleaner. Reduce a list of URLs to their root domain, no paths or queries.
- Reading Time, Speaking Time and Word Count. Estimate how long your text takes to read silently, present, narrate or podcast.
Format and Encoding (12 tools)
Anything that converts text from one shape into another. Encoders, decoders, formatters, validators. The kind of work that often needs the input to be sensitive (tokens, configs, customer data) and that should never leave your tab.
- JSON Formatter and Validator. Pretty-print, minify or validate JSON in your browser.
- Base64 Encoder and Decoder. Encode any text to Base64 and back. UTF-8 safe, URL-safe variant supported.
- URL Encoder and Decoder. Percent-encode strings for URLs and decode back. Component or full URI mode.
- HTML Entities Encoder and Decoder. Encode
<,>,&and friends to HTML entities, or decode them back. - ASCII to Unicode Converter. Encode text into code points (decimal, hex, JS escape) and back.
- HTML Tag Stripper. Remove HTML tags from any text and keep only the readable content.
- Markdown Stripper. Convert Markdown to plain text by stripping syntax markers.
- CSV / JSON Converter. Convert CSV to JSON arrays of objects and back, with header detection.
- Markdown to HTML / HTML to Markdown. Convert Markdown to HTML or HTML back to Markdown, with GFM and code fences.
- SQL Formatter. Format SQL across 12 dialects with control over keyword case and indent size.
- Image Resizer. Resize JPG, PNG and WebP images by percentage or exact pixels. Nothing uploaded.
- Image to Base64. Convert any image to a Base64 string, data URI, CSS background or
<img>tag. - PDF Page Counter. Count pages in one or many PDF files in your browser. Drag, drop, get the count.
Obfuscation and Cipher (7 tools)
Light obfuscation and classical ciphers. Useful for puzzles, kid friendly cryptography, social posts or just turning a string into something unreadable at a glance. Real cryptography lives in the developer hash and password tools below.
- Binary Code Translator. Convert text to UTF-8 binary and back.
- Disemvowel. Strip every vowel from your text. Light obfuscation, big reduction.
- Encryption Generator. Three classical ciphers (Caesar, Vigenère, XOR) for learning and puzzles.
- Reverse Text. Flip your text character by character. Works with emoji and accents.
- ROT13 Cipher. Rotate every letter by 13 places. Apply twice to recover the original.
- Word Scrambler. Shuffle the letters inside each word. Random output every run.
- Fancy Text Generator. Convert plain text into 20+ Unicode styles for Instagram, TikTok, Twitter and Discord.
- Aesthetic Text Wrapper. Wrap text with sparkles, hearts, moons, dots and other decorative Unicode for bios and captions.
Combination and Permutation (4 tools)
Cartesian products, line by line zips, permutations, anagrams. Math heavy little tools that build every combination of a set of inputs. Useful for testing, brainstorming, generating word lists or solving puzzles.
- Combination Generator. Cartesian product of 2 to 4 lists. Builds every combination automatically.
- Line Combination Generator. Pair lists line by line (zip). Useful for parallel data joining.
- Permutation Generator. Every reordering of N items, with a size guard for factorial growth.
- Anagram Solver. Generate every unique permutation of a set of letters. Word puzzles, Scrabble, anagrams.
Numeration (3 tools)
Sequential numbers, line numbering, manual counters. Small tools that handle the boring parts of list making and counting.
- Number Each Line. Add sequential numbers (1., 2., 3., …) to every line.
- Sequential Number List Generator. Build a list of numbers from start to end with custom step, prefix, suffix and padding.
- Online Tally Counter. Multiple named counters with +/-, custom step and local persistence.
Generators (9 tools)
Generate something from nothing: identifiers, passwords, placeholder text, slugs, random numbers, QR codes, color palettes, decisions. The randomness uses crypto.getRandomValues so the output is suitable for tokens and serious sampling, not just toys.
- UUID v4 Generator. Generate cryptographically random UUID v4 identifiers in bulk.
- Strong Password Generator. Cryptographically random passwords with full character set control.
- Lorem Ipsum Generator. Classic placeholder text by words, sentences or paragraphs.
- URL Slug Generator. Convert any text into a URL safe slug. Unicode aware, batch mode by line.
- Random Number Generator. Cryptographically secure random numbers, integers or decimals, with no repeats option.
- QR Code Generator. Generate a QR code from any text, URL, Wi-Fi or vCard. PNG and SVG download.
- Random Pick from List. Paste a list, pick one or many at random. Raffles, decisions, sampling.
- Decision Maker. Yes/no, coin flip, dice roller (d4 to d100), rock paper scissors.
- Random Color Palette Generator. Generate harmonious palettes (analogous, triadic, complementary, monochromatic, tetradic, random).
- Pomodoro Timer. Focus timer with 25 min sessions, 5 min short breaks and a long break every four pomodoros.
Developer (8 tools)
Tools that live in a developer’s daily workflow: timestamps, hashes, JWT decoding, regex, diffs, color, dates, cron. Every one of these has a tempting “online debugger” version that uploads your input. None of these do.
- Unix Timestamp Converter. Convert between Unix timestamps and human readable dates. Live, multi format.
- SHA Hash Generator. Compute SHA-1, SHA-256, SHA-384 and SHA-512 hashes locally with Web Crypto.
- JWT Decoder. Decode JSON Web Tokens to inspect the header and payload locally.
- Regex Tester. Test JavaScript regular expressions live with match highlighting and capture groups.
- Text Diff. Compare two texts line by line and visualise added, removed and unchanged lines.
- Color Converter. Convert between hex, rgb() and hsl() with live preview.
- Date Difference. Days, weeks, months and years between two dates. Doubles as an age calculator.
- WCAG Contrast Checker. Check text and background contrast against WCAG AA and AAA, with a live preview.
- Cron Expression Builder. Build cron expressions visually with presets and a plain language preview.
Specific use-case guides
Some tools have dedicated guides for specific contexts where the standard page does not give the full picture. These are the most useful sub-landings to bookmark, each one is a focused walkthrough with code, gotchas, and a working example.
QR Code Generator
Color Converter
Slug Generator
Image Resizer
Developer specifics
- Format JSON in Python
- Format JSON in Node.js
- Decode JWT in Node.js
- Decode JWT in Python
- Decode JWT in Java
- Hash a string in Node.js
- Hash a string in Python
- Regex in JavaScript
- Regex in Python
- UUIDs in PostgreSQL
- UUIDs in JavaScript
- Unix timestamps in PostgreSQL
- Unix timestamps in MySQL
- Unix timestamps in JavaScript
- Base64 in Python
- Base64 in Bash
- WCAG contrast checker
Three tools where the privacy angle really matters
The full list above is uniformly local. Three of them deserve a longer look because the gap between a SaaS version and a privacy-first version is dramatic.
QR codes that never see your text
A QR code is just a text encoded as a square pattern. The most common SaaS QR generators take your text, send it to a server, render the QR there and stream the image back. That means a third party now knows: the URL you are linking to, the Wi-Fi password you embedded, the vCard you encoded, the deep link to your private app. The information that you wanted printed on a sticker is now in someone else’s database.
The QR Code Generator on this site uses the qrcode library running in your browser. The encoding happens in JavaScript, the rendering happens on a Canvas in your tab, and the PNG or SVG is created locally before any download. The text never reaches a server. Open dev tools, watch the network tab while you generate one. There is no request.
That difference matters most for the things you would never think to upload: a Wi-Fi credential for the office network, a vCard with personal contact details, a magic link for a private demo, a beta build URL with a token in the query string. The local QR generator handles all of those without trusting anyone else with the payload.
Password generation that never transmits
A password generator that runs on a server is a contradiction. The whole point of a password is that nobody else sees it, so the moment it travels over the wire to your browser, the trust model has already failed. Even if the server promises not to log, it received the password, it could log, and TLS terminations along the way could intercept.
The Strong Password Generator uses crypto.getRandomValues, the cryptographic random source built into every modern browser. Bytes are read from the operating system’s entropy pool, mapped to your chosen character set, and shown on the page. Nothing leaves your tab. The next time you generate a password the previous one is gone unless you copied it. There is no log to subpoena, no breach to worry about, no third party in the loop. The same applies to the UUID v4 Generator and the Random Number Generator, which use the same source.
JWT decoding that does not see your token
A JWT carries claims that often include user IDs, role assignments, internal email addresses, organization IDs, and the signature that proves the token is valid. Many “online JWT debuggers” ask you to paste the token into a textarea, send it to a server, decode it there and stream the parsed JSON back. At that point the third party has seen everything, including a still valid signature on a token that may have hours of life left.
The JWT Decoder parses the token in your browser. The base64url segments are decoded into the header and payload locally, the JSON is pretty printed locally, and the signature is shown but not transmitted. You can paste the production access token of a logged in user, look at the claims, and close the tab knowing nothing was uploaded. The same approach applies to the Base64 Encoder, the SHA Hash Generator and the Regex Tester, three tools where developers regularly paste sensitive material into a textarea without thinking.
How to verify the claim
The “no upload” promise is testable in a few seconds. For any tool on this site:
- Open the tool page.
- Open the browser’s dev tools and switch to the Network tab.
- Clear the network log.
- Type, paste, drop a file, click the action.
- Watch the network log.
If a tool transmits your input, requests show up. If it does not, the network log stays clean: no XHR, no fetch, no WebSocket frame. The tools listed in this post pass that test. You can repeat the verification any time you want.
The same verification works in reverse for any tool you find on the open web. If a “free PDF compressor” makes a POST with the file content the moment you drop it, the file is on a server. If a “JSON minifier” sends an XHR with your JSON, your JSON is now somewhere else. The network tab is the truth, the privacy policy is the marketing.
Browse the tools by use case
The tools above are also organised into curated hub pages by use case:
- Best for Developers: JSON, regex, JWT, hashes, timestamps, SQL, cron.
- Best for Data: CSV, JSON, columns, find and replace, deduplication.
- Best for Writers: word counts, reading time, case, accents, Lorem Ipsum.
- Best for SEO: slugs, URL cleaning, gendered keywords, character limits.
- Full utilities index: every tool in one page.
Closing
If a tool here saved you time or kept a token out of someone else’s logs, share the list. Link to it from a Slack channel, paste it into a developer onboarding doc, send it to the friend who keeps pasting confidential PDFs into random websites. Backlinks help the page rank, but more importantly, every developer who switches to a local tool removes one more reason for SaaS converters to keep harvesting input.
If a tool you rely on is missing from this list, contact us with the request. The criteria are the same: must run in the browser, must not upload, must not require signup. If it meets those, it can join the next edition of the list.
The web does not need another upload form. It needs more pages that do the work in the tab and forget about it the moment you close it.