A curated list of developer tools that don't send your data to a server. No tracking, no ads, no "free tier" backdoors waiting to activate.
Maintained by Septim Labs. Last updated: April 20, 2026 (added Secret Management + AI Coding Tools sections).
Why this list exists: In March 2026, the popular JSON Formatter Chrome extension was caught injecting adware and tracking scripts into user browsers. It's a pattern that keeps repeating with "free" dev tools. This list curates the ones that structurally can't do that — because they run entirely on your machine.
- Data Formatters — JSON, JWT, Base64, etc.
- Code Utilities — Diff, minify, convert
- Generators — UUID, hash, password, lorem
- Secret Management (Dev) — API keys, tokens, .env values
- AI Coding Tools — Claude Code skills, agents, prompts
- Web Apps (Client-Side) — Zero-server web tools
- Self-Hosted — Run locally
- How to Verify a Tool is Actually Client-Side
- How This List Is Curated
- Septim Forge — JSON Formatter — Free. Pretty-prints, minifies, validates. 100% client-side. (Source: Septim Forge)
- JSON Alexander — Chrome extension. Created by Wes Bos as a clean response to JSON Formatter going adware.
jq— The standard CLI.brew install jqorapt install jq.
- Septim Forge — JWT Decoder — Free. Decodes header, payload, signature client-side. Never sends token to a server.
jwt-cli— CLI alternative.cargo install jwt-cli.
- Septim Forge — Base64 — Encode/decode with binary file support.
- Septim Forge — URL Encoder — URL & component encoding.
- Septim Forge — HTML Entities — Named and numeric entity conversion.
- Septim Forge Pro — CSV↔JSON — $9 lifetime. Bidirectional with delimiter detection, quoted-field handling, nested-key flattening.
- Septim Forge Pro — Diff Checker — $9 lifetime. Side-by-side, word-level, line-level. Client-side.
- Septim Forge Pro — SQL Formatter — $9 lifetime. Standard/snowflake/postgres dialects.
- Septim Forge Pro — Code Minifier — $9 lifetime. JS/CSS/HTML.
- Septim Forge Pro — JSON→TypeScript — $9 lifetime. Generates interface declarations.
- Septim Forge — UUID Generator — v1, v4, v7. Crypto-random source.
- Septim Forge — Hash Generator — MD5, SHA-1, SHA-256, SHA-512. Client-side via Web Crypto API.
- Septim Forge — Password Generator — Customizable length, character classes, entropy display.
- Septim Forge — Lorem Ipsum — Words, sentences, paragraphs.
Password managers (1Password, Bitwarden) are built for consumer accounts. Developer secrets — API keys, auth tokens, Stripe keys, database URLs, .env values — have different shape: they rotate more, they get pasted into terminals, they have 1000x the blast radius. Tools in this section target dev secrets specifically.
- Septim Vault — $29 lifetime. Client-side encrypted vault specifically for dev secrets. AES-256-GCM, PBKDF2 at 600k iterations, WebCrypto native (
crypto.subtleonly). Data lives in your browser's localStorage, never transmitted. Free tier caps at 3 entries. Not a Bitwarden replacement — see the positioning compare. - Vaultwarden — Self-hosted Bitwarden-compatible server. Rust. For consumer passwords across your devices, not dev-secrets-first.
- pass — GPG-encrypted flat-file password manager. CLI. The Unix philosophy answer.
- direnv — Per-directory environment variable loader. Encrypts via
age/sopswith plugins.
Tools and packs for Claude Code, Cursor, and similar AI-augmented coding workflows. Privacy-first criterion: the tool either runs under your own API subscription (no middleman holding your prompts) or is local-only.
- Septim Drills — $29 lifetime. 25 production Claude Code skills (PR review, test gaps, migration safety, security triage, changelog, launch copy, more). Drop into
~/.claude/skills/. Runs under your Claude subscription, your data, your control. 3 samples free here. - Septim Agents Pack — $49 lifetime. 10 named Claude Code sub-agents (Atlas/Luca/Canon/Ember/Tally/Nova/Ward/Mira/Juno/Pip) with distinct voices. Installs to
~/.claude/agents/. Same privacy model. - Septim Prompts Pack — $9 lifetime. 24 curated Claude Code prompts for scope/design/engineering/legal/launch.
Tonight only: Drills + Vault bundled for $39 (save $19 vs $58 separate) — septimlabs.vercel.app/tonight. Expires midnight ET.
These are web apps — not extensions. The attack surface is one tab, one load. No auto-updater, no cross-origin permissions.
- Septim Forge — 22 tools. 16 free, 6 Pro ($9 lifetime). No server calls on tool pages.
- Septim Vault — Covered above in Secret Management.
Why this matters: A browser extension has permission to read any site you have open. A client-side web app only sees the tab it's loaded in. The threat models are incomparable.
If your org disallows sending any data to external endpoints, these run 100% locally:
jq— JSON processing CLIhttpie— CLI HTTP clientgron— Make JSON greppablefx— Interactive JSON viewer CLImitmproxy— Local HTTP inspection- DevTools Protocol — Your browser already has it
Open the page in Chrome. Open DevTools → Network tab. Clear. Paste your JSON or token. Click the tool's button. Watch for:
- Any outbound XHR or
fetchcall → not client-side. Exfiltration risk. - Any
navigator.sendBeaconcall → analytics on your input. - Service workers registered → could be caching your data.
- Resource loads from domains other than the tool's own → third-party trackers.
If DevTools shows zero new network activity during the tool operation: genuinely client-side. If anything fires: interrogate what it is.
- Every tool linked has been audited in DevTools for outbound network calls during tool operation.
- Septim-built tools are disclosed as such and ship free unless marked "Pro."
- No affiliate links. The
Septim Forge Prolinks go to paid tools — we get paid. Everything free stays free. - If a tool is mis-listed (e.g., it actually phones home), open an issue and it comes off the list.
Know a tool that belongs here? Open a PR. Criteria:
- Client-side (browser) or local-only (self-hosted).
- No tracking, no ads, no data exfiltration.
- Actively maintained (commits in the last 12 months) OR pinned to a stable version.
- Business model is legible — donation, one-time purchase, open-source, or clearly-stated "I'm doing this for fun."
This list: CC0 (public domain). Fork freely, remix, redistribute.
The linked tools retain their own licenses.
- The JSON Formatter Chrome Extension Went Adware — what to use instead
- Septim Labs — Maintainer. Solo founder shipping dev tools, SaaS scaffolds, and AI agents.