See every transform side-by-side

Real input on the left, real protected output on the right. Outputs are slightly polymorphic between runs — the shapes below are representative, not byte-for-byte identical to what a live API call returns for the same input.

standard 1. Name Mangling

Local identifiers (variables, parameters, function names) collapse to short, opaque tokens. Public/global names you list as reserved are left alone.

Source 102 bytes

function calculateLicenseHash(productKey, accountId) {
    const salt = "JSO-2026";
    return productKey + ":" + accountId + ":" + salt;
}

Protected 87 bytes

function _0x4f2a(_0xae,_0x21){
    const _0xbc="JSO-2026";
    return _0xae+":"+_0x21+":"+_0xbc;
}

balanced 2. String Array (Move Strings Into Array)

Every string literal is hoisted into a single array at the top, accessed by index. Static analyzers can no longer grep the bundle for revealing strings; they have to follow the indirection.

Source 141 bytes

function greet(user) {
    if (user.role === "admin") {
        return "Welcome, administrator!";
    }
    return "Hello, " + user.name;
}

Protected 208 bytes

var _$a=["admin","Welcome, administrator!","Hello, ","role","name"];
function _g(u){
    if(u[_$a[3]]===_$a[0]){
        return _$a[1];
    }
    return _$a[2]+u[_$a[4]];
}

balanced 3. String Encryption

The hoisted string array is encrypted at rest and decoded on demand by a per-build polymorphic decoder. Grep for "Welcome" in the bundle and you get nothing back.

Source 141 bytes

function greet(user) {
    if (user.role === "admin") {
        return "Welcome, administrator!";
    }
    return "Hello, " + user.name;
}

Protected 312 bytes

var _$e=["bER0aW4=","V2VsY29tZSwgYWRtaW5pc3RyYXRvciE=",
         "SGVsbG8sIA==","cm9sZQ==","bmFtZQ=="];
(function(a,b){var c=function(i){return atob(a[i]);};
 _$d=function(i){return c(i);};})(_$e);
function _g(u){
    if(u[_$d(3)]===_$d(0))return _$d(1);
    return _$d(2)+u[_$d(4)];
}

maximum 4. Control Flow Flattening (Flat Transform)

Linear code becomes a state-machine loop. Decompilers cannot recover the original ifs and loops without solving the dispatcher first — an exercise that an LLM with no context is bad at.

Source 126 bytes

function sum(n) {
    let total = 0;
    for (let i = 1; i <= n; i++) {
        total += i;
    }
    return total;
}

Protected 298 bytes

function _s(n){
    var _st="3|0|4|2|1".split("|"),_i=0,_t,_x;
    while(true){
        switch(_st[_i++]){
            case "0": _t=0; continue;
            case "1": return _t;
            case "2": if(_x>n){_i=4;continue;} _t+=_x; _x++; _i=2; continue;
            case "3": _x=1; continue;
            case "4": _i=1; continue;
        }
        break;
    }
}

maximum 5. Dead Code Insertion

Provably unreachable branches are spliced in alongside real logic. The bundle grows; the reader gets more code paths to chase before realizing most of them are decoys.

Source 62 bytes

function isPaid(user) {
    return user.tier >= 2;
}

Protected 214 bytes

function _ip(u){
    if(!![]){
        return u["tier"]>=2;
    }else{
        var _z=function(a){return a*0x71+0x1f;};
        for(var i=0;i<3;i++){_z(i);}
        throw new Error("never");
    }
}

maximum 6. Protect Members & Member Mapping

Object property names that don't escape the bundle (e.g. internal helpers) are renamed too. Combined with the string array, even structured access becomes opaque.

Source 155 bytes

const license = {
    productKey: "ABC-123",
    expires: "2027-01-01",
    isValid() { return Date.now() < Date.parse(this.expires); }
};

Protected 196 bytes

var _$m=["ABC-123","2027-01-01"];
const _l={
    _0xae: _$m[0],
    _0xbf: _$m[1],
    _0xc1(){ return Date.now() < Date.parse(this._0xbf); }
};

maximum 7. Self-Defending Integrity Guard

A small heartbeat function checks that the protected bundle was not edited or re-formatted after shipping. Any modification — even a single whitespace change — trips the guard and the configured runtime defense action fires.

Source 66 bytes

function chargeCard(amount) {
    api.post("/charge", {amount});
}

Protected 320 bytes

(function _sd(){
    var _exp="a7c9...c2";
    var _f=arguments.callee.toString().replace(/[^a-z0-9]/gi,"");
    var _h=0; for(var i=0;i<_f.length;i++)_h=(_h*31+_f.charCodeAt(i))>>>0;
    if(_h.toString(16)!==_exp){ window.__jso_tamper(); return; }
    setTimeout(_sd, 5000);
})();
function _c(_a){_api.post("/charge",{amount:_a});}

Try it on your own code

The examples above are short for readability. The live obfuscator handles thousands of lines, multiple files, and every preset shown here in a single API call.

Open the live demo Read the full docs ›