Use this page to decide which JavaScript Obfuscator workflow fits your source-handling requirements: hosted API, online tool, npm automation, or desktop/local workflow.
Hosted API and npm workflows
The npm CLI, Node API, and build plugins send matched JavaScript file contents or emitted JavaScript chunks to the configured HttpApi.ashx endpoint. API credentials should be read from environment variables or CI secrets, not committed into config files.
Dry run
--dry-run does not call the API. Use it to review matched files and output paths. |
Validate config
--validate-config checks config shape, paths, budgets, and option names without sending source code. |
Doctor
--doctor checks credentials presence, paths, file matching, and output readiness without sending source code. |
Release check
--release-check combines validation, dry-run planning, and doctor checks as one CI preflight report. Add --strict when warnings should fail CI. |
API check
--release-check --check-api or --doctor --check-api sends a tiny generated jso-doctor.js sample to verify credentials and endpoint health. |
Protection
CLI, Node API, and build plugins send selected JavaScript source or emitted chunks to the configured endpoint. |
Print config
--print-config --json redacts credentials as [set] or [missing]. |
Manifest
Release manifests contain file names, paths, byte counts, and SHA-256 hashes. Treat them as release metadata. |
Local-only message
--local-only --json prints the desktop/local workflow guidance and exits without reading project source. |
Marked HTML
--parse-html sends only marked <script data-javascript-obfuscator> blocks to the API and preserves unmarked HTML locally. |
When source files contain javascript-obfuscator:disable markers, the npm CLI fails by default. Pass --honor-conditional-comments only when you want enabled regions sent to the API and disabled regions preserved locally.
Desktop and local workflows
Use the desktop/local workflow when a project policy requires source to remain local, when a non-Node user needs a GUI, or when you are processing larger mixed-file projects outside a package-script pipeline.
The npm CLI can still run local preflight commands such as --validate-config, --dry-run, --doctor, --release-check, and --local-only. Actual npm CLI protection uses the hosted HTTP API.
Source maps
Source maps can reveal original source after protection. The npm CLI excludes source maps by default, and bundle plugins remove stale JavaScript source maps by default. Keep that behavior for protected release artifacts unless another secure release step handles maps.
Release manifests
Release manifests contain project metadata, file names, source and output paths, byte counts, SHA-256 hashes, and processing metadata for virtual API items. Store them with release artifacts only when your release process allows path, hash, and processing metadata.
Credential handling
Store JSO_API_KEY and JSO_API_PASSWORD in local environment variables, encrypted CI secrets, or your organization's approved secret manager. Rotate API credentials if they are pasted into logs, chat, tickets, or build output.
CI release practices
- Run
--release-check --json before sending source code, and add --strict when validation warnings should fail CI.
- Protect into a separate folder such as
dist-protected.
- Publish protected artifacts, not the unprotected build folder.
- Use
include and exclude to skip vendor bundles, polyfills, and framework runtime files.