tokenbench

Privacy

Short version: your tokens, secrets and keys never leave your browser. This page is the long version, including the anonymous usage counts we do collect.

What happens to a token you paste

It is decoded, verified or signed by JavaScript running in your browser tab, using the browser's built-in WebCrypto API. It is not sent anywhere. It is not stored anywhere. When you close or refresh the tab, it is gone.

You do not have to take that on trust, which is the entire design goal. Open your browser's developer tools, switch to the Network tab, and paste a token into any tool on this site. You will see no request. Disconnect from the internet entirely and reload: every tool still works, because there is no server to talk to.

The source is public. It is a small amount of TypeScript, and it is worth ten minutes of your time if you are about to paste a production token into it.

Specifically, we never receive

This is not a policy commitment that could quietly change — it is a property of how the site is built. There is no endpoint that accepts this data.

The one network request

The validator can fetch a JWKS from a URL you supply. That happens only when you click "Fetch JWKS", and the request goes directly from your browser to the server you named. It does not pass through us, and your token is not part of it — a JWKS fetch asks only for public keys.

In practice this request is usually blocked by the browser's CORS policy, because identity providers do not expect browsers to read their JWKS endpoints. When that happens we hand you a curl command instead. We deliberately do not offer a server-side proxy to work around it: routing your traffic through our infrastructure is precisely the thing this site exists not to do.

What we do measure

We count usage in aggregate, so we know which tools are worth improving and can describe the audience to potential sponsors. The measurement is cookieless, has no cross-site tracking, and records only:

Nothing is sent while you work

Those events are counted in your browser's memory and transmitted in a single requestwhen you close the page. This is deliberate. The promise at the top of this page — open devtools, paste a token, watch nothing be sent — has to survive being tested, and it would not survive an analytics beacon firing the moment you paste. So none of them fire while the page is open. Your entire session makes zero analytics requests.

Every one of those events is a name and a count. None can carry the content of anything you paste, and that is enforced rather than merely intended: the analytics code accepts a fixed list of property names, and rejects any value longer than 24 characters or containing the characters a token is built from. A JWT cannot pass through it. That restriction is in src/lib/analytics.ts, it is enforced a second time on the server, and there is a test whose entire job is to try to smuggle a token, a secret and a private key past it.

No third-party analytics script

There isn't one. Most sites embed a vendor's JavaScript, which means the vendor's server appears in your Network tab and their code runs on the same page as your token. We don't. The single request described above goes to tokenbench.dev — this site — and our server forwards the counts onward. No third-party host is ever contacted by your browser, and no third-party code ever runs next to your inputs.

Storage and cookies

This site sets no cookies. It writes nothing to localStorage, sessionStorage or IndexedDB. A service worker caches the site's own code so the tools work offline; it never caches or stores anything you enter.

Advertising

If and when this site carries ads, they will be developer-focused, served in sandboxed iframes that cannot read the page's DOM, and never placed adjacent to an input field. We will not use ad technology that scans page content or targets on the basis of what you type, for the obvious reason that the inputs on this site contain credentials.

Contact

Questions, or a security issue to report: open an issue on the repository.

Kalisada LLC. Last updated July 2026.