ToolPad Blog
Longer-form articles on the formats and protocols behind the tools. Written for working engineers who want to understand not just what a utility does, but why the format exists and where it tends to go wrong in production.
Each post here started as a real problem one of us hit on the job — a token that wouldn't verify, a regex that took down a production service, an index that suddenly got slow when we switched to v4 UUIDs as the primary key. We write the article we wish we'd had at the time: concrete, specific, and short enough to read end-to-end in one sitting.
Articles are revised when the underlying spec or ecosystem changes — for example, when RFC 9562 superseded RFC 4122 for UUIDs. The publication date below reflects the original publication; updates are noted inline when they happen.
For more on how we write and review the content here, see our editorial standards.
JSON Validation: Beyond Pretty-Printing
·8 min readCommon JSON syntax mistakes, the difference between syntactic and semantic validation, and a practical introduction to JSON Schema for catching bad data before it reaches your database.
jsonvalidationschemaRegex Performance and Catastrophic Backtracking
·8 min readA seemingly innocent regex can freeze a production server for minutes. Learn how backtracking engines work, how to spot a vulnerable pattern, and how to rewrite it safely.
regexperformancesecurityBase64 in HTTP Headers: Pitfalls and Fixes
·6 min readLine breaks, padding characters, URL-safe variants, and the persistent myth that Base64 is a form of encryption. What to watch for when you move binary data over text protocols.
base64httpencodingUUID v4 vs v7: Which Should You Use?
·7 min readUUID v4 is random; UUID v7 is time-ordered. The choice has real consequences for database index locality, pagination, and debug-ability. Here is a practical guide to picking the right one.
uuiddatabaseidentifiersHow JWT Verification Actually Works
·9 min readDecoding a JWT is not the same as verifying it. A walkthrough of signing algorithms, the alg:none trap, key rotation, clock skew, and what your backend should actually check.
jwtsecurityauth