Skip to content

Your Data Never Leaves Your Browser

Every tool on ConvertJSON.io runs entirely in your browser. When you paste JSON, decode a JWT, or convert a config file, the data is processed by JavaScript on your own machine. Nothing is uploaded, logged, or stored on a server - because there is no conversion server at all.

Why this matters: the 2025 formatter leaks

In November 2025, security researchers at watchTowr published research showing that two of the most popular online formatting sites, JSONFormatter and CodeBeautify, had publicly exposed more than 80,000 saved user payloads through their server-side "save and share" features. The leaked data included Active Directory credentials, cloud API keys, database connection strings, CI/CD secrets, and customer records - pasted by developers who just wanted to format some JSON.

The root cause wasn't a sophisticated attack. Those sites upload your input to their servers to power features like "recent links", and anything stored on a server can be enumerated, breached, or subpoenaed. The safest server-side storage is the kind that doesn't exist.

How ConvertJSON.io is different

  • No conversion servers. The pages are static files. All parsing and converting happens in client-side JavaScript - you can watch the network tab and see that no request carries your data.
  • Share links carry the data themselves. The Share button compresses your input into the URL fragment (the part after #). Fragments are never sent to web servers by browsers, and we store nothing - the link itself is the data.
  • Preferences stay local. Settings like auto-convert live in your browser's localStorage, not in an account or database.
  • Works offline. Once a tool page has loaded, you can disconnect from the internet and it keeps converting - the clearest proof that nothing depends on a server.

A simple rule for sensitive data

Treat any tool that offers server-side "save", "recent", or "history" features as a place your secrets may become public. If you must use one, never paste credentials, tokens, connection strings, or customer data. Better: use tools where the processing verifiably happens on your machine.

That's the design principle behind every converter here - from the JWT decoder (tokens are credentials!) to the JSON formatter and the Excel converter. Your data is yours; we never see it.