Nothing leaves your browser

JSON Formatter — Nothing Leaves Your Browser

Format, validate, diff, and redact JSON 100% client-side. After the November 2025 data breach, we built the alternative.


  


















  Verify: nothing was sent
  
    
    
  1. Open DevTools (F12 or Cmd+Option+I)
    2. 
    
  2. Go to the Network tab
    3. 
    
  3. Paste JSON and format — confirm zero requests
    4. 
    
  4. Check the source on GitHub
    5. 
  

  
Built after the watchTowr disclosure that exposed 80,000+ leaked files.







How to Use


    
  
  1. Pick a mode — Format (default), Validate, Diff, or Redact
    2. 
  
  2. Paste your JSON into the text area (or drop a .json / .txt file)
    3. 
  
  3. Format mode: Choose indent (2/4/tab), toggle "Sort keys", click Compact to minify
    4. 
  
  4. Validate mode: See syntax status, type tree, and inferred JSON Schema
    5. 
  
  5. Diff mode: Paste two JSON documents side by side, toggle semantic comparison
    6. 
  
  6. Redact mode: Automatically detect and replace ~20 secret types (AWS keys, tokens, JWTs)
    7. 




Why We Built This


In November 2025, watchTowr Labs disclosed that JSONFormatter.org and CodeBeautify.org had been leaking user-pasted content through predictable URLs for over five years. More than 80,000 files — containing AWS keys, database credentials, internal configs, and session tokens — were publicly accessible. Active credential harvesting was confirmed within 48 hours of expiry.


The response? A disclaimer that unsaved data "will become public." That is not a fix. We built the alternative: a JSON formatter with zero servers, zero saves, and zero reasons to trust us — because you can verify the claim yourself in DevTools. Every byte of processing happens in your browser. The source is on GitHub.



Frequently Asked Questions




  Is this JSON formatter safe to use with sensitive data?
  
Yes. All processing happens in your browser. We have no server that receives your JSON. You can verify by opening DevTools → Network tab and confirming zero requests when you paste data.





  What happened to JSONFormatter.org and CodeBeautify in 2025?
  
A security firm (watchTowr Labs) disclosed that both sites' "Save" features publicly exposed user-pasted content via predictable URLs. Over 80,000 files containing passwords, AWS keys, and corporate credentials were leaked over five years.





  Why is this tool open-source?
  
So you can verify the privacy claim yourself. Source code link is in the footer. Auditing client-side code is straightforward — there's no server-side blob to take on faith.





  Does it work offline?
  
Yes, after the first load. The entire app is a single HTML file under 50KB.





  What's the maximum JSON size it can handle?
  
Up to ~10MB comfortably in modern browsers. Beyond that, formatting may take 1-3 seconds. We never upload.








  How does secret redaction work?
  
Regex patterns detect ~20 common secret types (AWS keys, GitHub tokens, JWTs, OpenAI keys, etc.) and replace them with [REDACTED:TYPE] markers locally. Always verify in DevTools that nothing was uploaded.





  Can it convert JSON to YAML?
  
Yes. Click "View as YAML" above the output panel. Supports scalars, objects, arrays, booleans, and null. Anchors and multi-doc YAML are not supported.





  Does this work on mobile?
  
Yes — tested down to 360px-wide viewports. Paste, tap Format, copy output.





  Is there a JSON schema generator?
  
Yes. Validate mode infers a JSON Schema (draft-07) from your sample. Downloadable as a separate file.





  Why no account, no save?
  
Because every "Save" feature is a future breach. If you need persistence, save locally (the Copy and Download buttons are there for that). We deliberately chose not to be a target.





Examples


1. Formatting an API response


Paste a minified API response like {"users":[{"id":1,"name":"Alice"},{"id":2,"name":"Bob"}]} — the formatter instantly indents it with your chosen style. Click "Sort keys" to alphabetize for consistent diffs across environments.



2. Redacting a config file with secrets


Paste a .env.json or AWS config and switch to Redact mode. The tool detects AWS access keys (AKIA...), GitHub PATs (ghp_...), Stripe keys, JWTs, and more — replacing each with [REDACTED:TYPE]. Safe to share the output in a bug report or Slack thread.



3. Debugging malformed JSON


Paste broken JSON and the formatter pinpoints the exact error: line, column, and a clear message. Common catches: trailing commas, single quotes, unescaped control characters, and missing closing brackets.



Related Tools




About JSON Formatting


JSON (JavaScript Object Notation) is the dominant data interchange format for web APIs, configuration files, and data pipelines. Every developer encounters JSON daily — from REST API responses to CI/CD configs to infrastructure-as-code templates. A good JSON formatter is a daily-driver tool.


Yet the most popular online JSON formatters — JSONFormatter.org, CodeBeautify.org — were caught leaking user data in November 2025. The breach exposed a fundamental design flaw: any tool that sends your data to a server creates a target. "We delete it after 24 hours" is a policy, not a guarantee.


Client-side JSON formatting eliminates the risk entirely. Modern browsers can parse, format, validate, and diff JSON natively via JSON.parse() and structured clone. There is no technical reason for a JSON formatter to phone home.


This tool runs entirely in your browser. It formats with configurable indentation (2 spaces, 4 spaces, or tabs). It validates syntax and infers JSON Schema from samples. It diffs two documents with optional semantic comparison (ignoring key order and whitespace). And it detects and redacts ~20 types of secrets — AWS keys, GitHub tokens, JWTs, Stripe keys, OpenAI API keys — so you can safely share sanitized JSON in bug reports, documentation, or Slack channels.


Whether you need a quick pretty-print on mobile, a privacy-safe formatter for enterprise environments, a JSON validator that works offline, or a YAML converter for your Kubernetes configs — this tool handles it without ever seeing your data.