Verifiable privacy

Your JSON never leaves your browser.

MyJSON has no backend. Every operation — format, validate, diff, generate types, mock data, JWT decode, schema infer — runs entirely on your machine. The only network requests are the initial page load and the open-source libraries it ships. Verify it yourself.

How to verify (it's 30 seconds)

Open DevTools (F12 or right-click → Inspect).
Switch to the Network tab. Filter by XHR / Fetch.
Clear the log.
Paste your JSON, run format, switch views, edit, diff — anything you'd normally do.
The Network log stays empty. No requests fire.

What's in MyJSON's bundle

Every dependency is open source and inspectable. None of them call home. The Monaco editor — which most JSON tools load from a CDN — we serve from our own origin under /monaco/vs/, so the network tab never shows a third-party host.

Monaco editor (self-hosted)

VS Code's editor — runs entirely on the page. Served from our origin, not a CDN.

Ajv

JSON Schema validator. Pure-JS, in-process.

jsonpath-plus

JSONPath evaluator. Pure-JS.

js-yaml

YAML parser/dumper. Pure-JS.

json5 / jsonrepair

Tolerant parsing + repair. Pure-JS.

fast-xml-parser

XML round-trip. Pure-JS.

papaparse / @iarna/toml

CSV / TOML conversion. Pure-JS.

json-schema-faker

Mock data from schemas. Pure-JS.

lz-string

Compresses share-link payloads. Pure-JS.

What about local storage?

MyJSON saves your editor content, theme, and preferences to localStorage so the next reload picks up where you left off. This is scoped to your browser — it never reaches a server. You can also flip on session-only mode (the toggle in the status bar) to disable persistence entirely. Refresh and the editor is empty again — useful when you paste something sensitive.

No backend

Static site. There is no server we could put your data on.

No telemetry

No analytics, no error reporting, no usage tracking, no ads.

No external fetches

Even URLs in your JSON aren't auto-fetched — image previews require a manual click.

CSP and security headers

The hosting setup enforces these on every response:

Content-Security-Policy — restricts what can load, no external scripts
Strict-Transport-Security — preload-listed HSTS
X-Frame-Options: DENY — no clickjacking
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy — camera/mic/geolocation explicitly denied

Why this matters

Most free JSON tools online send your data to a server — sometimes silently. In March 2026, a popular JSON formatter extension was caught injecting ads and tracking user locations. JSON payloads routinely contain API keys, JWTs, customer PII, and internal IDs. The safest place for that data is the device it's already on.

Open MyJSON Read the docs