Strip away frameworks and languages, and a huge share of web development is the same handful of tasks: move structured data around, prove who a user is, match and validate text, and protect secrets. Each has a standard tool — JSON, JWT, regular expressions, and the trio of hashing, encryption and encoding. This guide maps them and links to a deeper article on each.
Every concept here has a matching tool that runs entirely in your browser — your data is never uploaded — starting with the JSON Formatter and JWT Decoder.
JSON: the data lingua franca
JSON (JavaScript Object Notation) is how data travels across the modern web. Almost every API speaks it, most config files use it, and it is readable by every major language. Its whole design is a small set of types — objects, arrays, strings, numbers, booleans, null — arranged as nested key/value pairs. That simplicity is why it beat the heavier formats that came before it.
Because it is just text, a missing comma or stray bracket breaks it, which is why formatting and validation are everyday tasks. The syntax, the data types and the common pitfalls are in JSON Explained.
JWT: portable proof of identity
Once a user logs in, the server needs a way to recognise them on every subsequent request without looking them up each time. The dominant answer is the JSON Web Token (JWT) — a compact, signed token that carries a small JSON payload (who you are, what you can do, when it expires). Because it is signed, the server can trust it without storing session state.
A JWT is three base64url chunks separated by dots: a header, the JSON payload, and a signature. Crucially, the payload is encoded, not encrypted — anyone can read it — so what goes in it and how the signature protects it really matters. The anatomy and the security rules are in How JWT Works.
Regular expressions: pattern matching
Validating an email, extracting every URL from a page, finding-and-replacing across a codebase — these are regular expression jobs. A regex is a tiny pattern language for describing text: literal characters, plus special symbols for “any digit,” “one or more,” “start of line,” and so on. Learn a dozen of those symbols and a huge class of text problems becomes a one-liner.
Regex has a reputation for being cryptic, but it is learnable in layers. The core symbols, quantifiers, character classes and groups — with examples — are in Regular Expressions Explained.
Hashing vs. encryption vs. encoding
Three words developers mix up constantly, with real security consequences:
- Encoding changes data’s format so it survives transport (e.g. base64). It is reversible by anyone and provides no security.
- Hashing turns data into a fixed-length fingerprint that cannot be reversed — used for passwords and integrity checks.
- Encryption scrambles data so only someone with the key can read it — used for confidentiality.
Confusing them causes serious bugs: base64-ing a password thinking it is “secured,” or trying to “decrypt” a hash. The distinctions, with when to use each, are in Hashing vs Encryption vs Encoding.
The toolkit
Each concept maps to a tool you can use right now, all client-side:
| Task | Tool |
|---|---|
| Format / validate JSON | JSON Formatter, JSON Validator |
| Decode & inspect a JWT | JWT Decoder |
| Build & test a regex | Regex Tester |
| Hash a value | Hash Generator |
| Generate a unique ID | UUID Generator |
In practice
These four areas underpin most of what a web application does with data — and getting the concepts right (especially the security trio) prevents whole classes of bugs. Start with whichever you need next; each deep-dive is self-contained and pairs with a private, in-browser tool to try it immediately.
Frequently asked questions
What data formats should every web developer know?
At minimum: JSON (the default for APIs and config), the structure of JWTs (the standard auth token), regular expressions (for matching and validating text), and the difference between hashing, encryption and encoding (which underpins security). These four cover the vast majority of day-to-day data handling.
Is JSON the same as JavaScript?
No, though it came from JavaScript. JSON is a language-independent text format for data; JavaScript is a programming language. JSON looks like a JavaScript object literal, but it is just text that every major language can read and write.
Are these tools safe to use with sensitive data?
The tools on this site run entirely in your browser — your JSON, tokens and text are never uploaded. That makes them safe for decoding a production JWT or formatting a config file without sending it to a third-party server.
Where should I start?
JSON is the foundation, since tokens, APIs and config all build on it. From there, JWT for authentication, regular expressions for text processing, and the hashing-vs-encryption distinction for anything security-related.