Obfuscate JavaScript code to make it harder to read and reverse-engineer. Renames variables, encodes strings, and transforms the AST using the javascript-obfuscator library. Runs 100% in your browser.
Paste your JavaScript code into the input editor. The obfuscator works on any valid JavaScript — functions, classes, modules, and scripts. Minifying your code first is optional but produces a smaller obfuscated output.
Select Low (readable, fast), Medium (balanced), or High (maximum obfuscation, larger output). Custom mode lets you configure individual options: control flow flattening, string encryption, dead code injection, identifier name generation style, and self-defending code.
Click Obfuscate to process your code. The result appears in the output editor. Copy to clipboard or click Download to save as a .js file ready to deploy. The obfuscated code is functionally identical to the original.
JavaScript obfuscation is the process of transforming readable JavaScript code into a functionally equivalent version that is difficult for humans to understand and reverse-engineer. Techniques include renaming variables and functions to meaningless names (a, b, _0x1a2b), encoding string literals as hex or Unicode escape sequences, flattening control flow to obscure logic, inserting dead code, and splitting identifiers. The obfuscated code runs identically to the original.
Obfuscation makes code harder to understand but does not make it truly secure. Determined attackers can deobfuscate code using static analysis tools (e.g. de4js, JStillery), dynamic analysis in browser dev tools (setting breakpoints and inspecting runtime values), and AST analysis. Never store genuine secrets (API keys, database passwords, private keys) in client-side JavaScript — obfuscated or not. Obfuscation raises the cost and time of reverse engineering but cannot prevent it completely.
javascript-obfuscator is an open-source Node.js library that transforms JavaScript ASTs (Abstract Syntax Trees) using a configurable set of obfuscation passes. It is widely used for protecting commercial JavaScript products, game code, licensing systems, and proprietary algorithms in browser-delivered code. This tool uses it compiled to run directly in the browser via a browser build — no code is sent to any server.
Control flow flattening transforms structured control flow (if/else, for loops, switch statements) into a single dispatch loop with a state variable, making the execution order of code blocks difficult to follow statically. It is one of the most effective obfuscation techniques and significantly increases the difficulty of reverse engineering. It increases code size and execution time as a trade-off.
Minification removes whitespace, comments, and shortens variable names to reduce file size — tools like Terser and UglifyJS do this. Minified code is still structurally similar to the original and can be pretty-printed and read with effort. Obfuscation goes further by intentionally transforming the code's structure, encoding strings, and inserting misleading patterns to prevent understanding even after formatting. For production code, minify first, then obfuscate if needed.
Obfuscation should produce functionally identical code, but edge cases exist: code that relies on Function.prototype.toString() (since function bodies are transformed), eval() with code that references variable names (since names are renamed), and reflection-based patterns that depend on specific identifier names. Test the obfuscated output thoroughly before deploying. High-level obfuscation with self-defending code may also conflict with strict mode.
