Documentation

Guides for protecting production JavaScript

Reference guides for release workflows, command-line usage, cross-file protections, and the desktop app.

Build And Release Workflows Download Desktop
Inside The Docs

Practical guides, not placeholder pages.

How-to guides Start with release sequencing and command-line usage, then move into feature-specific references.
Advanced protection Browse cross-file controls like Replace Globals and Protect Members when a build spans multiple scripts.

Migrating from Jscrambler

  • Jscrambler Code Integrity customers
  • Corporate ($49/mo) or Enterprise ($99/mo)

Use this guide when an existing Jscrambler Code Integrity deployment needs to move to JavaScript Obfuscator. The two products solve overlapping problems — static transforms plus runtime defense — with very different pricing models and integration footprints. Migration is mostly a matter of mapping configuration; the protected output runs in the same browsers and the same Node runtimes.

Why customers move

Three reasons come up consistently in support tickets from teams moving in this direction:

  • Posted pricing. JSO publishes plans on premium-membership.aspx. Jscrambler is quote-based; teams report annual commitments in the $5K–$50K+ range depending on app count and threat-monitoring add-ons. JSO Corporate at $49/month covers identical protection territory for most teams.
  • Self-serve onboarding. No sales call, no scoping workshop. Sign up, generate an API key, run npx jso-protector --init, ship a protected build the same day.
  • No vendor lock on the symbolication map. Jscrambler stores source-map artifacts server-side and requires their dashboard to symbolicate. JSO returns the identifier map in every API response; you keep it on your machine and demangle locally with jso-symbolicate.

Feature mapping

Jscrambler featureJSO equivalent
Identifier mangling, string concealing, control flow flattening, dead-code injection Direct equivalents: NameMangling, MoveStringsIntoArray + EncodeStrings + EncryptStrings, FlatTransform, DeadCodeInsertion. See the docs catalog for each option.
Polymorphic outputs (different bytes per build) JSO produces polymorphic output by default. Verifiable via Report.PolymorphismFingerprint in every API response. Two consecutive obfuscations of identical input MUST produce different fingerprints.
Code Locks — calendar / domain / counter LockDate + LockDateValue (calendar), LockDomain + LockDomainList (domain). Counter locks ship via the runtime self-defending heartbeat — Runtime Defense docs.
Self-defending (tamper-detection runtime guard) JSO's SelfDefending + SelfDefendingIntervalSeconds heartbeat. Beacon callback when the integrity check fails. Configurable runtime action (redirect, callback, beacon).
Anti-debugging, devtools detection DebugProtection, BlockDevToolsKeys, DisableConsoleOutput, DetectHeadlessBrowser.
Threat monitoring — live dashboard of tamper events Runtime Defense already emits beacon callbacks to a customer-controlled URL. The persistent dashboard for those beacons is in flight — see the roadmap. For now, route the beacon webhook into your existing alerting (Datadog Events, Sentry, PagerDuty) using a 20-line server endpoint.
Source maps + symbolication Identifier maps included in every API response under Report.GlobalIdentifierMap / Report.MemberIdentifierMap. Demangle locally with jso-symbolicate; first-class integrations for Sentry, Bugsnag, Rollbar, Datadog, Honeybadger, Raygun, Airbrake, AppSignal. Maps never leave your machine.
Webskimming / third-party tag protection (PCI DSS v4) Not in scope for JSO. Combine JSO's static + runtime protection with a CSP + SRI rollout for third-party tag governance. If PCI v4 third-party tag attestation is a hard requirement, stay with Jscrambler for that surface and use JSO only for first-party JavaScript.
Webpack / Rollup / Vite / esbuild build plugins Drop-in equivalents: jso-protector/webpack, jso-protector/rollup, jso-protector/vite, jso-protector/esbuild. See the npm CLI guide for the full list.
CI/CD integration Ready-to-drop templates for GitHub Actions, GitLab CI, CircleCI, Jenkinsfile, Azure Pipelines, Bitbucket Pipelines — node_modules/jso-protector/ci/ after install. Auto-tag with the commit SHA via --label.
IDE integration Marketplace-ready VS Code extension and JetBrains plugin (WebStorm, IDEA Ultimate, PhpStorm, PyCharm Professional, RubyMine, GoLand, Rider). Three presets, env-var-first credentials.
customLabel CI metadata jso-protector --label "$COMMIT_SHA". The label rides on the API request as ReleaseLabel and groups dashboard audit entries by commit.

What Jscrambler does that JSO does not

Honest gap list, so the decision is informed:

  • PCI DSS v4 third-party tag attestation. If your auditor requires a vendor attesting third-party-tag integrity for a payment flow, Jscrambler holds that certification today. Use JSO for first-party JavaScript and Jscrambler (or a Content Security Policy + SRI + Subresource Integrity rollout) for third-party tag governance.
  • Hosted threat-monitoring dashboard. JSO emits the beacon events; the persistent UI is still in flight. If you cannot operate without the dashboard today, the migration moment is when JSO ships it (roadmap link).
  • Mobile-app JavaScript protection bundled with the same UX. Jscrambler ships dedicated React Native and Cordova/Capacitor mobile-app surfaces inside the same product. JSO covers React Native via the same jso-protector/react-native entrypoint as web bundles; if you depend on Jscrambler's mobile-specific telemetry features, evaluate before moving.
  • Account-managed onboarding. Jscrambler ships a customer success engineer with most plans. JSO is intentionally self-serve. If your procurement process requires a named technical contact, contact support to discuss Enterprise terms.

Migration checklist

  1. Inventory. List every entry point Jscrambler currently protects: dist folders, webpack outputs, inline HTML scripts, mobile bundles. The migration scope equals this list.
  2. Export your current Jscrambler config (the .jscramblerrc or web-dashboard JSON). Use it as the reference when mapping options below.
  3. Provision a JSO API key. Sign up, upgrade to Corporate, generate a key under Account → API.
  4. Install the CLI: npm install --save-dev jso-protector, then npx jso-protector --init to generate a starter jso.config.json.
  5. Translate options using the feature mapping above. controlFlowFlatteningFlatTransform; stringConcealingEncryptStrings; lock options stay 1:1.
  6. Preserve public names. Carry Jscrambler's identifierNames exclusion list across as reservedNames in jso.config.json (or as a multi-line VariableExclusion block).
  7. Run side-by-side. Protect into dist-jso-protected/ while keeping the Jscrambler-protected output as the live release. Smoke-test the new bundle against your existing test suite.
  8. Wire CI: copy the right template from node_modules/jso-protector/ci/ into your repo. Add JSO_API_KEY and JSO_API_PASSWORD as secrets.
  9. Wire your error reporter. If you use Sentry / Bugsnag / Rollbar / Datadog / Honeybadger / Raygun / Airbrake / AppSignal, follow the symbolication doc — one require + one config-flag.
  10. Cut over. Flip the deploy to the JSO-protected bundle. Keep the Jscrambler config in source control for two release cycles in case you need to roll back.
Next: read the npm CLI workflow, Runtime Defense, and stack-trace symbolication doc pages. Or jump straight to the migration guide for the OSS package if you're also coming off javascript-obfuscator.