Documentation

Guides for protecting production JavaScript

Reference guides for release workflows, command-line usage, cross-file protections, and the desktop app.

Inside the Docs

Practical guides for real release work.

How-to guides Start with release sequencing and command-line usage, then move into feature-specific references.
Advanced protection Browse cross-file controls like Replace Globals and Protect Members when a build spans multiple scripts.

Tooling matrix

  • 2026-06-06
  • Shipping tested + published · Beta opt-in · Reference spec / template only

Every artifact JSO ships, in one table. Use this page when running procurement, when scoping a JSO rollout into a new team's stack, or when answering "do you have a thing for X?". For deep documentation per artifact follow the linked rows.

Language clients

Same protect() shape across every language. See the clients reference for side-by-side code examples.

LanguagePackageMin runtimeHTTP transportStatus
Nodejso-protector (npm)Node ≥18built-in fetchShipping
Pythonjso-protector (PyPI)Python ≥3.8stdlib urllibShipping
Gojso-protector-goGo ≥1.21stdlib net/httpShipping
.NETJsoProtector (NuGet).NET Standard 2.0HttpClientShipping
Rubyjso_protector (RubyGems)Ruby ≥2.7stdlib net/httpShipping
PHPjavascriptobfuscator/jso-protector (Packagist)PHP ≥7.4ext-curl + stream fallbackShipping
Rustjso-protector (crates.io)Rust ≥1.70ureq (sync, rustls)Shipping
Javacom.javascriptobfuscator:jso-protector (Maven Central)JDK ≥11stdlib java.net.http.HttpClientShipping
Kotlincom.javascriptobfuscator:jso-protector-kotlin (Maven Central)Kotlin ≥1.9, JDK 11+stdlib java.net.http.HttpClient with coroutinesShipping
Anything elseWire-format spec + JSON Schema + examples/curl/protect.shPOSIX shellcurl + jqReference
IDE integrations

Right-click Obfuscate File / Obfuscate Selection from any JS/TS file. Three presets, env-var-first credentials. Same wire format as the CLI.

Editor familyPackageStatus
VS Code, Cursor, VSCodiumjavascript-obfuscator-vscode (VS Code Marketplace)Shipping
WebStorm, IDEA Ultimate, PhpStorm, PyCharm Professional, RubyMine, GoLand, Ridercom.javascriptobfuscator.jetbrains (JetBrains Marketplace)Shipping
Build-tool plugins (via jso-protector npm CLI)
Bundler / frameworkEntry pointStatus
Vitejso-protector/viteShipping
Webpack / Rspackjso-protector/webpack, jso-protector/webpack-loader, jso-protector/rspackShipping
Rollupjso-protector/rollupShipping
esbuildjso-protector/esbuildShipping
Next.jsjso-protector/nextShipping
Parceljso-protector/parcelShipping
Metro / React Nativejso-protector/metro, jso-protector/react-nativeShipping
Bunjso-protector/bunShipping
Turbopackjso-protector/turbopackShipping
Browserify, Gulp, Gruntjso-protector/browserify, /gulp, /gruntShipping
CI/CD templates

All thirteen templates ship inside node_modules/jso-protector/ci/. Every one calls --label "$COMMIT_SHA" and archives the API report. Convention enforced by a verify:ci npm script and a verify:polyglot cross-client wire-format check.

SystemTemplate fileStatus
GitHub Actionsci/github-actions.yml + composite ActionShipping
GitLab CIci/gitlab-ci.ymlShipping
CircleCIci/circleci.ymlShipping
Jenkinsci/JenkinsfileShipping
Azure Pipelinesci/azure-pipelines.ymlShipping
Bitbucket Pipelinesci/bitbucket-pipelines.ymlShipping
Drone CIci/drone.ymlShipping
Buildkiteci/buildkite.ymlShipping
Woodpecker CIci/woodpecker.ymlShipping
Tekton Pipelinesci/tekton.yamlShipping
TeamCity Kotlin DSLci/teamcity.ktsShipping
GoCDci/gocd.yamlShipping
Argo Workflowsci/argo-workflows.yamlShipping
Kubernetes-native deployment
PatternWhereStatus
Standalone Job manifestpackages/jso-protector/examples/kubernetes/job.yamlShipping
Helm chart (Job or CronJob via cron.schedule)packages/jso-protector/examples/helm/Shipping
Tekton Task + Pipelineci/tekton.yamlShipping
Argo Workflowsci/argo-workflows.yamlShipping
Stack-trace symbolication

Local demangling of obfuscated stack traces. Maps stay on the customer machine. See the symbolication doc.

ComponentDetailStatus
jso-symbolicate CLInpm package — npx jso-symbolicate --map report.json --stack crash.txtShipping
Interactive web demo/symbolicate-demo.aspx — paste a stack + map, browser-only demanglingShipping
Sentry / Bugsnag / Rollbar / Datadog / Honeybadger / Raygun / Airbrake / AppSignalOne-line beforeSend wire-up per reporter; subpath exports off jso-symbolicateShipping
Credential hygiene tools
ToolWhat it doesStatus
eslint-plugin-jso-protectorESLint rules: no-hardcoded-jso-credentials (catches base-64-shaped tokens + literal assignments to credential keys) and prefer-env-credentials (warns on empty-string placeholders). Both auto-fix to process.env.Shipping
pre-commit hooksjso-release-check + jso-dry-run catch config drift before commit. Ship via packages/jso-protector/.pre-commit-hooks.yaml.Shipping
Polyglot CI smoke harnesspackages/polyglot-smoke/smoke.js — spins up a mock server, round-trips a fixture against every available language client, asserts cross-client wire-format consistency. Wired into verify:polyglot + prepublishOnly.Shipping
Supply-chain integrity
CapabilityWhereStatus
HMAC-SHA256 watermark embedding + verifierjso-protector --watermark / --verify-watermark / --scan-watermarks. Wire format mirrored in Python (jso_protector.watermark) and .NET (JsoProtector.Watermark). Spec: WireFormat.aspx.Shipping
Ed25519-signed release attestation (SLSA-style)jso-protector --sign-release / --verify-release with two-stage verify (signature + on-disk re-hash). --genkey-release mints fresh keypairs. Spec: WireFormat.aspx.Shipping
Pre-flight quota gatejso-protector --estimate walks input files + reads /v1/ai/usage; three gate states (OK / WARN / FAIL).Shipping
Migration review assistantjso-protector --migration-review emits one source-free owner packet with a Migration Review Assistant for BYO AI or internal reviewers, covering manual review tracks, source-map policy, identifier-cache replacement, runtime-defense behavior, source-reading command boundaries, release metadata, and protected-build smoke.Shipping
Identifier-cache review assistantjso-protector --identifier-cache-review turns deterministic cache and custom dictionary migration assumptions into a source-free Identifier Cache Review Assistant for BYO AI or internal reviewers, covering reserved-name coverage, release metadata, and protected-build smoke.Shipping
Runtime-defense review assistantjso-protector --runtime-defense-review turns anti-debug, self-defending, runtime lock, console, and countermeasure migration assumptions into a source-free Runtime Defense Review Assistant for BYO AI or internal reviewers, covering runtime behavior scope, monitoring handoff, countermeasure policy, domain/date lock smoke, source-reading compatibility scan, release metadata, and protected-build smoke.Shipping
Competitor gap review assistantjso-protector --competitor-gap-report --json groups covered, partial, and gap areas, pins the public-source snapshot date, lists follow-up reviewer artifacts, and emits a source-free Competitor Gap Review Assistant for BYO AI or internal reviewers.Shipping
Source-map evidence assistantjso-protector --source-map-evidence verifies the protected manifest, audits .map files and sourceMappingURL comments, then emits a source-free Source Map Review Assistant for BYO AI or internal reviewers without sharing raw maps, original source paths, source code, protected output, customer data, or secrets.Shipping
Deployment hygiene evidencejso-protector --deployment-hygiene-evidence turns the tools/Build-UpdatedArchives.ps1 -ReportPath archive hygiene JSON into a source-free reviewer packet with blocked-entry status, required-entry gaps, operator checklist, rotation triggers, SHA-256, and Review Assistant boundaries.Shipping
GitHub Action opt-in inputsjavascriptobfuscator/[email protected] exposes release-check, competitor-gap-report, migration-review, migration-review-report, payment-script-inventory, runtime-inventory-snapshot, script-inventory-audit-report, payment-page-har, payment-page-headers-baseline, payment-page-url-pattern, payment-page-headers-report, pci-dss-v4-evidence, pci-dss-v4-report, pci-dss-v4-json-report, source-map-evidence, source-map-evidence-report, runtime-incident-export, runtime-incident-evidence-report, vm-proof-pack, vm-proof-pack-report, ai-resistance-evidence, ai-resistance-evidence-report, watermark, watermark-key, sign-release-key, ai-precheck, estimate as inputs; outputs source-free preflight and migration-review reports, source-map evidence, runtime incident evidence, VM proof, AI-resistance evidence, payment-page audit report paths, payment-page security-header report paths, and PCI DSS v4 report paths plus the .sig path for downstream upload-artifact steps.Shipping
Cross-language conformance vectorsEight pinned wire-format vectors in packages/jso-protector/test/wire-format-vectors.test.js. Reference for any new language port.Shipping
Runtime defense + ops integration
CapabilityWhereStatus
Debug protection, console suppression, devtools-key blocking, headless detection, session lock, fingerprint lock, challenge lock, self-defending integrity heartbeat, signed RSA envelopes, beacon callbackAPI options documented at /Docs/RuntimeDefense.aspxShipping
jso-beacon-slackForwards Runtime Defense beacon webhooks to Slack + Discord. Three deployment shapes: programmatic, standalone HTTP server, AWS Lambda example.Shipping
Runtime incident dashboardToken-based hosted intake at /v1/runtime/beacon.ashx, with recent incidents, severity, BuildID, URL, collector-token status, first-triage status actions, source-free routing recommendations, response targets, CSV/JSON evidence exports in Dashboard Monitoring, and jso-protector --runtime-incident-evidence handoff packets for support or reviewer workflows.Beta
Payment-page protection playbookCheckout script inventory, security-header snapshots, runtime alerts, signed release evidence, PCI DSS v4 report workflow, and source-free PCI DSS Review Assistant for BYO AI or internal reviewers.Shipping
VM bytecode protectionPer-function virtualization marked by @virtualize comments (//, block, or JSDoc form). Corporate+ tier. Docs: option reference and public proof pack.Beta
Migration guides
Coming fromGuide
OSS javascript-obfuscator npm packageMigrating from javascript-obfuscator
Jscrambler Code IntegrityMigrating from Jscrambler
Don't see a tool you need? The JSO HTTP API is small and stable; every artifact above is built on top of it. Write a thin client in your language by following the wire-format spec or generate one from the JSON Schema. Recipes for common build-and-release patterns live in the Cookbook.

Try this in the online obfuscator

Paste your own code and see this option applied, or compare plans for larger projects and the desktop app.

Try It Free See Pricing