In November 2025, security researchers reported that jsonformatter.org and codebeautify.org had been exposing user-submitted snippets through an unprotected "Recent Links" feature. The exposed data reportedly included AWS keys, GitHub tokens, database passwords, and banking details.
I had used tools like these before. That made the lesson uncomfortable: developer utilities can feel harmless until the payload you pasted contains something sensitive.
The Problem With Server-Side JSON Tools
Many online JSON formatters, validators, and beautifiers process pasted data on a server. When you paste JSON into one of those tools, the payload may travel through someone else's infrastructure before the formatted result appears on your screen.
For developers, that can be invisible. You copy an API response, paste it into a formatter, get pretty JSON back, and move on. But that JSON might contain:
- API keys and tokens
- Customer PII from a database
- JWTs with session data
- Internal configuration with server IPs or credentials
- Proprietary data structures that reveal architecture
The important question is not whether a tool says it is private. The question is whether you can verify where the pasted content goes.
How SafeJSON Is Different
I built SafeJSON to make that boundary easier to inspect. SafeJSON is a browser-based JSON toolkit whose core JSON workflows are designed so pasted content is not intentionally uploaded during formatting, validation, viewing, diffing, JWT decoding, JSONPath querying, or JSON Schema validation.
You can verify the boundary yourself:
- Open safejson.dev
- Open DevTools -> Network
- Paste JSON, a JWT, a schema, or a JSONPath query into a core tool
- Confirm no request contains the pasted JSON, token, schema, query, or payload
Normal website delivery, aggregate analytics, billing, and license checks may still use network requests. The key boundary is the pasted content used inside core JSON workflows.
What SafeJSON Does
SafeJSON is a JSON toolkit, not just a formatter:
- JSON Formatter & Validator: formatting, syntax highlighting, collapsible tree view, and error detection with line/column details.
- JSON Diff: compare two JSON objects side by side with added, removed, and changed values highlighted.
- JWT Decoder: decode JWT header, payload, and signature in a browser-local workflow.
- JSONPath Query: query JSON data with XPath-like expressions.
- JSON Schema Validator: validate JSON against schema definitions.
There is also a browser extension that detects raw JSON responses, formats them in the current tab, and lets you copy or open SafeJSON without putting page JSON into URL parameters.
The Ecosystem Has a Trust Problem
The jsonformatter.org incident was not an isolated concern. Browser extensions and free developer utilities can change ownership, change behavior, or become harder to audit over time.
These are not hypothetical risks. Real developers have had credentials exposed. Real extensions have changed behavior after ownership changes. The convenience of free online tools comes with a hidden cost when the privacy boundary is vague.
Open Source and Verifiable
SafeJSON is open source under the MIT license. The code is available on GitHub, so you do not have to rely only on marketing copy. You can inspect the implementation and verify the pasted-content boundary in DevTools.
Try It
The tool is live at safejson.dev. Core formatting and validation are free. SafeJSON Pro adds advanced workflows such as JSON Diff, JWT Decoder, JSONPath Query, and JSON Schema Validator for $5/month or $39/year.
If you use online JSON tools out of habit, take 30 seconds to check the boundary: open DevTools -> Network while using the formatter. Look for whether requests contain the JSON, JWT, schema, query, or payload you pasted.
I built this as a solo developer. Feedback, bug reports, and contributions are welcome on GitHub.
Top comments (0)