Your JSON never leaves your browser.
MyJSON has no backend. Every operation — format, validate, diff, generate types, mock data, JWT decode, schema infer — runs entirely on your machine. The only network requests are the initial page load and the open-source libraries it ships. Verify it yourself.
How to verify (it's 30 seconds)
- Open DevTools (F12 or right-click → Inspect).
- Switch to the Network tab. Filter by XHR / Fetch.
- Clear the log.
- Paste your JSON, run format, switch views, edit, diff — anything you'd normally do.
- The Network log stays empty. No requests fire.
What's in MyJSON's bundle
Every dependency is open source and inspectable. None of them call home. The Monaco editor — which most JSON tools load from a CDN — we serve from our own origin under /monaco/vs/, so the network tab never shows a third-party host.
Monaco editor (self-hosted)
VS Code's editor — runs entirely on the page. Served from our origin, not a CDN.
Ajv
JSON Schema validator. Pure-JS, in-process.
jsonpath-plus
JSONPath evaluator. Pure-JS.
jq-wasm
Real jq 1.8, compiled to WebAssembly. The WASM is embedded in the JS module (no separate download) and runs entirely on the page — no network.
js-yaml
YAML parser/dumper. Pure-JS.
json5 / jsonrepair
Tolerant parsing + repair. Pure-JS.
fast-xml-parser
XML round-trip. Pure-JS.
papaparse / @iarna/toml
CSV / TOML conversion. Pure-JS.
json-schema-faker
Mock data from schemas. Pure-JS.
lz-string
Compresses share-link payloads. Pure-JS.
What about local storage?
MyJSON saves your editor content, theme, and preferences to localStorage so the next reload picks up where you left off. This is scoped to your browser — it never reaches a server. You can also flip on session-only mode (the toggle in the status bar) to disable persistence entirely. Refresh and the editor is empty again — useful when you paste something sensitive.
No backend
Static site. There is no server we could put your data on.
No telemetry in the app
The editor and tools send nothing — no usage tracking, no error reporting, no ads. (See the note on marketing-page analytics below.)
No external fetches
Even URLs in your JSON aren't auto-fetched — image previews require a manual click.
What about analytics?
To know whether anyone actually finds these tools useful, the marketing pages (this homepage, the tool landing pages, and the docs) use Cloudflare Web Analytics — a cookieless visit counter that records no personal data and never sees page content. It tells us “a JSONPath page got N views from country X” and nothing more.
The app itself is a different story, on purpose. The editor, the decoders, and the NDJSON viewer — every surface where you paste real data — load zero analytics and zero third-party scripts. This very page you're reading loads none either. Open DevTools on the editor and the Network tab stays empty, exactly as promised. The visit counter and your data never meet.
CSP and security headers
The hosting setup enforces these on every response:
- Content-Security-Policy — restricts what can load; the only permitted third-party is the cookieless Cloudflare analytics beacon (marketing pages only)
- Strict-Transport-Security — preload-listed HSTS
- X-Frame-Options: DENY — no clickjacking
- Cross-Origin-Opener-Policy: same-origin
- Permissions-Policy — camera/mic/geolocation explicitly denied
Why this matters
Most free JSON tools online send your data to a server — sometimes silently. In March 2026, a popular JSON formatter extension was caught injecting ads and tracking user locations. JSON payloads routinely contain API keys, JWTs, customer PII, and internal IDs. The safest place for that data is the device it's already on.