Privacy
Short version: your tokens, secrets and keys never leave your browser. This page is the long version, including the anonymous usage counts we do collect.
What happens to a token you paste
It is decoded, verified or signed by JavaScript running in your browser tab, using the browser's built-in WebCrypto API. It is not sent anywhere. It is not stored anywhere. When you close or refresh the tab, it is gone.
You do not have to take that on trust, which is the entire design goal. Open your browser's developer tools, switch to the Network tab, and paste a token into any tool on this site. You will see no request. Disconnect from the internet entirely and reload: every tool still works, because there is no server to talk to.
The source is public. It is a small amount of TypeScript, and it is worth ten minutes of your time if you are about to paste a production token into it.
Specifically, we never receive
- Tokens, or any part of a token — header, payload, signature.
- Secrets, private keys, public keys, or JWKS content.
- Claim names or claim values from your tokens.
- JWKS URLs that you type.
- Anything you type into any field on this site.
This is not a policy commitment that could quietly change — it is a property of how the site is built. There is no endpoint that accepts this data.
The one network request
The validator can fetch a JWKS from a URL you supply. That happens only when you click "Fetch JWKS", and the request goes directly from your browser to the server you named. It does not pass through us, and your token is not part of it — a JWKS fetch asks only for public keys.
In practice this request is usually blocked by the browser's CORS policy, because identity providers do not expect browsers to read their JWKS endpoints. When that happens we hand you a curl command instead. We deliberately do not offer a server-side proxy to work around it: routing your traffic through our infrastructure is precisely the thing this site exists not to do.
What we do measure
We count usage in aggregate, so we know which tools are worth improving and can describe the audience to potential sponsors. The measurement is cookieless, has no cross-site tracking, and records only:
- Page views, referrer, and coarse country — the standard, cookieless kind.
- Which tool was used. Not what it was used on.
- Which lint categories fired — e.g. that an
alg:nonewarning was shown. Never the token that triggered it. - Whether a JWKS fetch was attempted, and whether it failed on CORS. Never the URL.
- The algorithm name from a token header — the string
"RS256", nothing else from the token. - That a copy button was pressed. Not what was copied.
Nothing is sent while you work
Those events are counted in your browser's memory and transmitted in a single requestwhen you close the page. This is deliberate. The promise at the top of this page — open devtools, paste a token, watch nothing be sent — has to survive being tested, and it would not survive an analytics beacon firing the moment you paste. So none of them fire while the page is open. Your entire session makes zero analytics requests.
Every one of those events is a name and a count. None can carry the content of anything you paste, and that is enforced rather than merely intended: the analytics code accepts a fixed list of property names, and rejects any value longer than 24 characters or containing the characters a token is built from. A JWT cannot pass through it. That restriction is in src/lib/analytics.ts, it is enforced a second time on the server, and there is a test whose entire job is to try to smuggle a token, a secret and a private key past it.
No third-party analytics script
There isn't one. Most sites embed a vendor's JavaScript, which means the vendor's server appears in your Network tab and their code runs on the same page as your token. We don't. The single request described above goes to tokenbench.dev — this site — and our server forwards the counts onward. No third-party host is ever contacted by your browser, and no third-party code ever runs next to your inputs.
Storage and cookies
This site sets no cookies. It writes nothing to localStorage, sessionStorage or IndexedDB. A service worker caches the site's own code so the tools work offline; it never caches or stores anything you enter.
Advertising
If and when this site carries ads, they will be developer-focused, served in sandboxed iframes that cannot read the page's DOM, and never placed adjacent to an input field. We will not use ad technology that scans page content or targets on the basis of what you type, for the obvious reason that the inputs on this site contain credentials.
Contact
Questions, or a security issue to report: open an issue on the repository.
Kalisada LLC. Last updated July 2026.