What counts as a secret
A secret is any value that could give access to an account, system, user data, or private environment.
Common examples include:
- API keys;
- access tokens;
- refresh tokens;
- private keys;
- passwords;
- session cookies;
- JWTs from real systems;
- database connection strings;
- webhook secrets;
- production configuration files;
- customer records or private payloads.
Some JSON, logs, and error messages can also contain secrets indirectly. Before using a tool such as JSON Formatter, check whether the content includes anything that should not leave your controlled environment.
Why local processing is not the whole story
Browser-local processing is useful because the tool provider does not need to receive the pasted content for that workflow. In Utilio’s local tools, pasted text is processed in the browser and is not uploaded to Utilio servers.
That is better than sending sensitive data to a server, but it is not the same as making secret handling safe.
Other parts of your environment may still matter:
- browser extensions;
- shared computers;
- managed work devices;
- clipboard managers;
- screen recording tools;
- malware;
- browser sync;
- local history or logs outside the tool.
For more context, see Browser extensions, shared devices, and local security limits.
Browser extensions and shared devices
Browser extensions can sometimes read or change page content, depending on their permissions. A shared or managed device may also have monitoring or logging that you do not control.
That means a browser-local tool can reduce one risk — sending content to the tool provider — without removing every local risk.
Be especially careful with:
- work laptops;
- school devices;
- shared computers;
- unknown browser profiles;
- browsers with many extensions;
- machines you do not administer.
If the value can grant access to a real system, do not paste it into a public webpage.
Safer alternatives
For secrets and production data, prefer controlled tools and environments.
Safer options include:
- local command-line tools;
- an internal developer tool approved by your team;
- a temporary test token instead of a real token;
- redacted JSON with secrets removed;
- fake data with the same structure;
- a local editor or IDE plugin you trust;
- a dedicated secrets manager.
If you need to format JSON, remove or replace sensitive values first. Keep the structure, not the real credentials.
How Utilio labels processing models
Utilio separates local browser tools from tools that need a network request. Local tools are labeled so you can understand whether content stays in the browser.
For example, JSON Formatter is meant for formatting JSON locally. But that does not mean you should paste production secrets into it. The safer rule is simple: if the value grants access, do not paste it into an online tool.
See also How browser-local processing works and Privacy Policy.
Common questions
What counts as a secret?
Passwords, API keys, access tokens, refresh tokens, private keys, session cookies, real JWTs, database URLs, webhook secrets, and production config values should be treated as secrets.
Is a browser-local tool enough for secrets?
No. Browser-local processing avoids sending content to the tool provider for that workflow, but it does not remove risks from extensions, shared devices, malware, clipboard tools, or managed environments.
Can browser extensions read pasted data?
Some extensions can read or modify page content if they have broad permissions. Review installed extensions before pasting sensitive data into any webpage.
Should I paste JWTs into decoders?
Do not paste real production JWTs into public tools. Use a test token, a redacted token, or a trusted local/internal decoder instead.
What should I do instead?
Use local CLI tools, internal approved tools, redacted examples, fake data, or trusted offline software. For secrets, avoid public webpages.