Repository files navigation

• (Github)https://github.com/sponsors/sanex3339

Huge thanks to all supporters!

Obfuscator.io featuresVM-based bytecode obfuscation — the most advanced code protection available. Your JavaScript functions are transformed into custom bytecode running on an embedded virtual machine, making reverse engineering extremely difficult.

Try it at obfuscator.io

This package provides access to Obfuscator.io Pro API via CLI and Node.js API.

JavaScript Obfuscator is a powerful free obfuscator for JavaScript, containing a variety of features which provide protection for your source code.

Key features:

• VM bytecode obfuscation (viaObfuscator.io)
• variables renaming
• strings extraction and encryption
• dead code injection
• control flow flattening
• various code transformations
• andmore...

The example of obfuscated code:github.com

obfuscator.io

• Webpack plugin:webpack-obfuscator
• Webpack loader:obfuscator-loader
• Gulp:gulp-javascript-obfuscator
• Grunt:grunt-contrib-obfuscator
• Rollup:rollup-plugin-javascript-obfuscator
• Weex:weex-devtool
• Malta:malta-js-obfuscator
• Netlify plugin:netlify-plugin-js-obfuscator
• Snowpack plugin:snowpack-javascript-obfuscator

It is not recommended to obfuscate vendor scripts and polyfills, since the obfuscated code is 15-80% slower (depends on options) and the files are significantly larger.

Install the package with Yarn or NPM and add it to yourdependencies ordevDependencies:

$ yarn add --dev javascript-obfuscator

or

$ npm install --save-dev javascript-obfuscator

From CDN:

<scriptsrc="https://cdn.jsdelivr.net/npm/javascript-obfuscator/dist/index.browser.js"></script>

Fromnode_modules:

<scriptsrc="./node_modules/javascript-obfuscator/dist/index.browser.js"></script>

varJavaScriptObfuscator=require('javascript-obfuscator');varobfuscationResult=JavaScriptObfuscator.obfuscate(`        (function(){            var variable1 = '5' - 3;            var variable2 = '5' + 3;            var variable3 = '5' + - '2';            var variable4 = ['10','10','10','10','10'].map(parseInt);            var variable5 = 'foo ' + 1 + 1;            console.log(variable1);            console.log(variable2);            console.log(variable3);            console.log(variable4);            console.log(variable5);        })();    `,{compact:false,controlFlowFlattening:true,controlFlowFlatteningThreshold:1,numbersToExpressions:true,simplify:true,stringArrayShuffle:true,splitStrings:true,stringArrayThreshold:1});console.log(obfuscationResult.getObfuscatedCode());/*var _0x9947 = [    'map',    'log',    'foo\x20',    'bvmqO',    '133039ViRMWR',    'xPfLC',    'ytpdx',    '1243717qSZCyh',    '2|7|4|6|9|',    '1ErtbCr',    '1608314VKvthn',    '1ZRaFKN',    'XBoAA',    '423266kQOYHV',    '3|0|5|8|1',    '235064xPNdKe',    '13RUDZfG',    '157gNPQGm',    '1639212MvnHZL',    'rDjOa',    'iBHph',    '9926iRHoRl',    'split'];function _0x33e4(_0x1809b5, _0x37ef6e) {    return _0x33e4 = function (_0x338a69, _0x39ad79) {        _0x338a69 = _0x338a69 - (0x1939 + -0xf * 0x1f3 + 0x1 * 0x469);        var _0x2b223a = _0x9947[_0x338a69];        return _0x2b223a;    }, _0x33e4(_0x1809b5, _0x37ef6e);}(function (_0x431d87, _0x156c7f) {    var _0x10cf6e = _0x33e4;    while (!![]) {        try {            var _0x330ad1 = -parseInt(_0x10cf6e(0x6c)) * -parseInt(_0x10cf6e(0x6d)) + -parseInt(_0x10cf6e(0x74)) * -parseInt(_0x10cf6e(0x78)) + parseInt(_0x10cf6e(0x6a)) + -parseInt(_0x10cf6e(0x70)) + parseInt(_0x10cf6e(0x6e)) * -parseInt(_0x10cf6e(0x75)) + parseInt(_0x10cf6e(0x72)) + -parseInt(_0x10cf6e(0x67)) * parseInt(_0x10cf6e(0x73));            if (_0x330ad1 === _0x156c7f)                break;            else                _0x431d87['push'](_0x431d87['shift']());        } catch (_0x9f878) {            _0x431d87['push'](_0x431d87['shift']());        }    }}(_0x9947, -0xb6270 + 0x4dfd2 * 0x2 + 0x75460 * 0x2), function () {    var _0x1f346d = _0x33e4, _0x860db8 = {            'ytpdx': _0x1f346d(0x6b) + _0x1f346d(0x71),            'bvmqO': function (_0x560787, _0x519b9e) {                return _0x560787 - _0x519b9e;            },            'rDjOa': function (_0x4501fe, _0x2b07a3) {                return _0x4501fe + _0x2b07a3;            },            'xPfLC': function (_0x5f3c9b, _0x434936) {                return _0x5f3c9b + _0x434936;            },            'XBoAA': function (_0x535b8a, _0x42eef4) {                return _0x535b8a + _0x42eef4;            },            'iBHph': _0x1f346d(0x65)        }, _0x346c55 = _0x860db8[_0x1f346d(0x69)][_0x1f346d(0x79)]('|'), _0x3bf817 = 0x4bb * 0x1 + 0x801 + -0xcbc;    while (!![]) {        switch (_0x346c55[_0x3bf817++]) {        case '0':            console[_0x1f346d(0x7b)](_0x4c96d8);            continue;        case '1':            console[_0x1f346d(0x7b)](_0x101028);            continue;        case '2':            var _0x65977d = _0x860db8[_0x1f346d(0x66)]('5', -0x586 + -0x2195 + -0x6 * -0x685);            continue;        case '3':            console[_0x1f346d(0x7b)](_0x65977d);            continue;        case '4':            var _0x56d39b = _0x860db8[_0x1f346d(0x76)]('5', -'2');            continue;        case '5':            console[_0x1f346d(0x7b)](_0x56d39b);            continue;        case '6':            var _0x544285 = [                '10',                '10',                '10',                '10',                '10'            ][_0x1f346d(0x7a)](parseInt);            continue;        case '7':            var _0x4c96d8 = _0x860db8[_0x1f346d(0x68)]('5', 0x622 * -0x6 + 0x4a * 0x3 + 0x1 * 0x23f1);            continue;        case '8':            console[_0x1f346d(0x7b)](_0x544285);            continue;        case '9':            var _0x101028 = _0x860db8[_0x1f346d(0x6f)](_0x860db8[_0x1f346d(0x6f)](_0x860db8[_0x1f346d(0x77)], 0x6fb * 0x5 + 0x1ebf * 0x1 + -0x41a5), 0x209 * 0xa + 0x1314 + -0x276d);            continue;        }        break;    }}());*/

ReturnsObfuscationResult object which contains two public methods:

• getObfuscatedCode() - returnsstring with obfuscated code;
• getSourceMap() - ifsourceMap option is enabled - returnsstring with source map or an empty string ifsourceMapMode option is set asinline;
• getIdentifierNamesCache() - returns object with identifier names cache ifidentifierNamesCache option is enabled,null overwise.

CallingtoString() forObfuscationResult object will returnstring with obfuscated code.

Method takes two parameters,sourceCode andoptions – the source code and the options respectively:

• sourceCode (string, default:null) – any valid source code, passed as a string;
• options (Object, default:null) – an object with options.

For available options, seeoptions.

AcceptssourceCodesObject that is a map which keys are identifiers of source codes and values are source codes:

{    foo: 'var foo = 1;',    bar: 'var bar = 2;'}

Returns a map object which keys are identifiers of source codes and values areObfuscationResult objects.

Returns an options object for the passed options preset name.

The Pro API methods provide access toVM-based bytecode obfuscation through theobfuscator.io cloud service. VM obfuscation is the most advanced and secure form of code protection available, transforming your JavaScript functions into custom bytecode that runs on an embedded virtual machine.

Why VM Obfuscation?

• Strongest protection: Code is converted to bytecode that cannot be directly understood
• Anti-decompilation: No standard JavaScript to reverse engineer
• Customizable VM: Each obfuscation generates unique opcodes and VM structure
• Layered security: Combine with other obfuscation options for defense in depth

To use Pro API methods, you need a valid API token fromobfuscator.io:

1. Create an account atobfuscator.io
2. Subscribe to a Pro, Team, or Business plan that includes API access
3. Generate your API token atobfuscator.io/dashboard

Async method that obfuscates code using the Pro API with VM-based bytecode obfuscation.

constJavaScriptObfuscator=require('javascript-obfuscator');constresult=awaitJavaScriptObfuscator.obfuscatePro(`function hello() { console.log("Hello World"); }`,{vmObfuscation:true,// Required!vmObfuscationThreshold:1,compact:true},{apiToken:'your_javascript_obfuscator_pro_api_token'});console.log(result.getObfuscatedCode());

Parameters:

• sourceCode (string) – source code to obfuscate
• options (Object) – obfuscation options.Must include at least one Pro feature:vmObfuscation: true orparseHtml: true
• apiConfig (Object) – Pro API configuration:
  • apiToken (string, required) – your API token from obfuscator.io
  • timeout (number, optional) – request timeout in ms (default:300000 - 5 minutes)
  • version (string, optional) – Obfuscator.io version to use (e.g.,'5.0.3'). Defaults to latest version if not specified.
• onProgress (function, optional) – callback for progress updates during obfuscation

Returns:Promise<ObfuscationResult>

Throws:ApiError if:

• No Pro features (vmObfuscation orparseHtml) are enabled in options
• API token is invalid or expired
• API request fails

You can specify which obfuscator version to use via theversion option:

constresult=awaitJavaScriptObfuscator.obfuscatePro(sourceCode,{vmObfuscation:true,vmObfuscationThreshold:1},{apiToken:'your_javascript_obfuscator_pro_api_token',version:'5.0.3'// Use specific version});

The API uses streaming mode to provide real-time progress updates during obfuscation:

constresult=awaitJavaScriptObfuscator.obfuscatePro(sourceCode,{vmObfuscation:true,vmObfuscationThreshold:1},{apiToken:'your_javascript_obfuscator_pro_api_token'},(message)=>{console.log('Progress:',message);// Output: "Validating request...", "Authenticating...", "Obfuscating...", etc.});

UseProApiClient.hasProFeatures() to check if options require the Pro API:

const{ ProApiClient}=require('javascript-obfuscator');constoptions={vmObfuscation:true,compact:true};if(ProApiClient.hasProFeatures(options)){// Use obfuscatePro() - requires API tokenconstresult=awaitJavaScriptObfuscator.obfuscatePro(sourceCode,options,{ apiToken});}else{// Use regular obfuscate() - no API token neededconstresult=JavaScriptObfuscator.obfuscate(sourceCode,options);}

Pro features include:

• vmObfuscation: true – VM-based bytecode obfuscation
• parseHtml: true – HTML parsing with inline JavaScript obfuscation

const{ ApiError}=require('javascript-obfuscator');try{constresult=awaitJavaScriptObfuscator.obfuscatePro(sourceCode,options,config);}catch(error){if(errorinstanceofApiError){console.error(`API Error (${error.statusCode}):${error.message}`);}else{throwerror;}}

You can also use Pro API features directly from the CLI by providing your API token:

javascript-obfuscator input.js --pro-api-token YOUR_API_TOKEN --vm-obfuscationtrue -o output.js

With a specific obfuscator version:

javascript-obfuscator input.js --pro-api-token YOUR_API_TOKEN --pro-api-version 5.0.3 --vm-obfuscationtrue -o output.js

CLI Options:

• --pro-api-token <string> – Your API token fromobfuscator.io
• --pro-api-version <string> – Obfuscator.io version to use (optional, defaults to latest)

The CLI automatically detects when Pro features (vmObfuscation orparseHtml) are enabled and routes the request through the Pro API.

For files larger than ~4MB, the Pro API uses client-side uploads to Vercel Blob storage. To enable this feature, install the optional@vercel/blob package:

npm install @vercel/blob

Without this package, large file obfuscation will fail with an error message prompting you to install it.

SeeCLI options.

Usage:

javascript-obfuscator input_file_name.js [options]javascript-obfuscator input_file_name.js --output output_file_name.js [options]javascript-obfuscator input_file_name.js --output output_folder_name [options]javascript-obfuscator input_folder_name --output output_folder_name [options]

Obfuscation of single input file with.js extension.

If the destination path is not specified with the--output option, the obfuscated file will be saved into the input file directory, withINPUT_FILE_NAME-obfuscated.js name.

Some examples:

javascript-obfuscator samples/sample.js --compacttrue --self-defendingfalse// creates a new file samples/sample-obfuscated.jsjavascript-obfuscator samples/sample.js --output output/output.js --compacttrue --self-defendingfalse// creates a new file output/output.js

Usage:

javascript-obfuscator ./dist [options]// creates a new obfuscated files under`./dist` directory near the input files with`obfuscated` postfixjavascript-obfuscator ./dist --output ./dist/obfuscated [options]// creates a folder structure with obfuscated files under`./dist/obfuscated` path

Obfuscation of all.js files under input directory. If this directory contains already obfuscated files with-obfuscated postfix - these files will ignored.

Obfuscated files will saved into the input directory underINPUT_FILE_NAME-obfuscated.js name.

You can disable and enable obfuscation for specific parts of the code by adding following comments:

• disable:// javascript-obfuscator:disable or/* javascript-obfuscator:disable */;
• enable:// javascript-obfuscator:enable or/* javascript-obfuscator:enable */.

Example:

// inputvarfoo=1;// javascript-obfuscator:disablevarbar=2;// outputvar_0xabc123=0x1;varbar=2;

Conditional comments affect only direct transformations of AST-tree nodes. All child transformations still will be applied to the AST-tree nodes.

For example:

• Obfuscation of the variable's name at its declaration is called direct transformation;
• Obfuscation of the variable's name beyond its declaration is called child transformation.

Kind of variables of inserted nodes will auto-detected, based on most prevailing kind of variables of source code.

During obfuscation of the different files, the same names can be generated for the global identifiers between these files.To prevent this set the unique prefix for all global identifiers for each obfuscated file withidentifiersPrefix option.

When using CLI this prefix will be added automatically.

Following options are available for the JS Obfuscator:

{compact:true,controlFlowFlattening:false,controlFlowFlatteningThreshold:0.75,deadCodeInjection:false,deadCodeInjectionThreshold:0.4,debugProtection:false,debugProtectionInterval:0,disableConsoleOutput:false,domainLock:[],domainLockRedirectUrl:'about:blank',forceTransformStrings:[],identifierNamesCache:null,identifierNamesGenerator:'hexadecimal',identifiersDictionary:[],identifiersPrefix:'',ignoreImports:false,inputFileName:'',log:false,numbersToExpressions:false,optionsPreset:'default',renameGlobals:false,renameProperties:false,renamePropertiesMode:'safe',reservedNames:[],reservedStrings:[],seed:0,selfDefending:false,simplify:true,sourceMap:false,sourceMapBaseUrl:'',sourceMapFileName:'',sourceMapMode:'separate',sourceMapSourcesMode:'sources-content',splitStrings:false,splitStringsChunkLength:10,stringArray:true,stringArrayCallsTransform:true,stringArrayCallsTransformThreshold:0.5,stringArrayEncoding:[],stringArrayIndexesType:['hexadecimal-number'],stringArrayIndexShift:true,stringArrayRotate:true,stringArrayShuffle:true,stringArrayWrappersCount:1,stringArrayWrappersChainedCalls:true,stringArrayWrappersParametersMaxCount:2,stringArrayWrappersType:'variable',stringArrayThreshold:0.75,target:'browser',transformObjectKeys:false,unicodeEscapeSequence:false}

    -v, --version    -h, --help    -o, --output    --compact<boolean>    --config<string>    --control-flow-flattening<boolean>    --control-flow-flattening-threshold<number>    --dead-code-injection<boolean>    --dead-code-injection-threshold<number>    --debug-protection<boolean>    --debug-protection-interval<number>    --disable-console-output<boolean>    --domain-lock'<list>' (comma separated)    --domain-lock-redirect-url<string>    --exclude'<list>' (comma separated)    --force-transform-strings'<list>' (comma separated)    --identifier-names-cache-path<string>    --identifier-names-generator<string> [dictionary, hexadecimal, mangled, mangled-shuffled]    --identifiers-dictionary'<list>' (comma separated)    --identifiers-prefix<string>    --ignore-imports<boolean>    --log<boolean>    --numbers-to-expressions<boolean>    --options-preset<string> [default, low-obfuscation, medium-obfuscation, high-obfuscation]    --rename-globals<boolean>    --rename-properties<boolean>    --rename-properties-mode<string> [safe, unsafe]    --reserved-names'<list>' (comma separated)    --reserved-strings'<list>' (comma separated)    --seed<string|number>    --self-defending<boolean>    --simplify<boolean>    --source-map<boolean>    --source-map-base-url<string>    --source-map-file-name<string>    --source-map-mode<string> [inline, separate]    --source-map-sources-mode<string> [sources, sources-content]    --split-strings<boolean>    --split-strings-chunk-length<number>    --string-array<boolean>    --string-array-calls-transform<boolean>    --string-array-calls-transform-threshold<number>    --string-array-encoding'<list>' (comma separated) [none, base64, rc4]    --string-array-indexes-type'<list>' (comma separated) [hexadecimal-number, hexadecimal-numeric-string]    --string-array-index-shift<boolean>    --string-array-rotate<boolean>    --string-array-shuffle<boolean>    --string-array-wrappers-count<number>    --string-array-wrappers-chained-calls<boolean>    --string-array-wrappers-parameters-max-count<number>    --string-array-wrappers-type<string> [variable, function]    --string-array-threshold<number>    --target<string> [browser, browser-no-eval, node]    --transform-object-keys<boolean>    --unicode-escape-sequence<boolean>    --pro-api-token<string>    --pro-api-version<string>    --vm-obfuscation<boolean>    --vm-obfuscation-threshold<number>    --vm-preprocess-identifiers<boolean>    --vm-dynamic-opcodes<boolean>    --vm-target-functions'<list>' (comma separated)    --vm-exclude-functions'<list>' (comma separated)    --vm-target-functions-mode<string> [root, comment]    --vm-wrap-top-level-initializers<boolean>    --vm-opcode-shuffle<boolean>    --vm-bytecode-encoding<boolean>    --vm-bytecode-array-encoding<boolean>    --vm-bytecode-array-encoding-key<string>    --vm-bytecode-array-encoding-key-getter<string>    --vm-instruction-shuffle<boolean>    --vm-jumps-encoding<boolean>    --vm-decoy-opcodes<boolean>    --vm-dead-code-injection<boolean>    --vm-split-dispatcher<boolean>    --vm-macro-ops<boolean>    --vm-debug-protection<boolean>    --vm-runtime-opcode-derivation<boolean>    --vm-stateful-opcodes<boolean>    --vm-stack-encoding<boolean>    --vm-randomize-keys<boolean>    --vm-indirect-dispatch<boolean>    --vm-compact-dispatcher<boolean>    --vm-bytecode-format<string> [binary, json]    --parse-html<boolean>    --strict-mode<boolean>

Type:boolean Default:true

Compact code output on one line.

Type:string Default: ``

Name of JS/JSON config file which contains obfuscator options. These will be overridden by options passed directly to CLI

Type:boolean Default:false

Enables code control flow flattening. Control flow flattening is a structure transformation of the source code that hinders program comprehension.

Example:

// input(function(){functionfoo(){returnfunction(){varsum=1+2;console.log(1);console.log(2);console.log(3);console.log(4);console.log(5);console.log(6);}}foo()();})();// output(function(){function_0x3bfc5c(){returnfunction(){var_0x3260a5={'WtABe':'4|0|6|5|3|2|1','GokKo':function_0xf87260(_0x427a8e,_0x43354c){return_0x427a8e+_0x43354c;}};var_0x1ad4d6=_0x3260a5['WtABe']['split']('|'),_0x1a7b12=0x0;while(!![]){switch(_0x1ad4d6[_0x1a7b12++]){case'0':console['log'](0x1);continue;case'1':console['log'](0x6);continue;case'2':console['log'](0x5);continue;case'3':console['log'](0x4);continue;case'4':var_0x1f2f2f=_0x3260a5['GokKo'](0x1,0x2);continue;case'5':console['log'](0x3);continue;case'6':console['log'](0x2);continue;}break;}};}_0x3bfc5c()();}());

Type:number Default:0.75 Min:0 Max:1

The probability that thecontrolFlowFlattening transformation will be applied to any given node.

This setting is especially useful for large code size because large amounts of control flow transformations can slow down your code and increase code size.

controlFlowFlatteningThreshold: 0 equals tocontrolFlowFlattening: false.

Type:boolean Default:false

With this option, random blocks of dead code will be added to the obfuscated code.

Example:

// input(function(){if(true){varfoo=function(){console.log('abc');};varbar=function(){console.log('def');};varbaz=function(){console.log('ghi');};varbark=function(){console.log('jkl');};varhawk=function(){console.log('mno');};foo();bar();baz();bark();hawk();}})();// outputvar_0x37b8=['YBCtz','GlrkA','urPbb','abc','NMIhC','yZgAj','zrAId','EtyJA','log','mno','jkl','def','Quzya','IWbBa','ghi'];function_0x43a7(_0x12cf56,_0x587376){_0x43a7=function(_0x2f87a8,_0x47eac2){_0x2f87a8=_0x2f87a8-(0x16a7*0x1+0x5*0x151+-0x1c92);var_0x341e03=_0x37b8[_0x2f87a8];return_0x341e03;};return_0x43a7(_0x12cf56,_0x587376);}(function(){if(!![]){var_0xbbe28f=function(){var_0x2fc85f=_0x43a7;if(_0x2fc85f(0xaf)===_0x2fc85f(0xae)){_0x1dd94f[_0x2fc85f(0xb2)](_0x2fc85f(0xb5));}else{console[_0x2fc85f(0xb2)](_0x2fc85f(0xad));}};var_0x5e46bc=function(){var_0x15b472=_0x43a7;if(_0x15b472(0xb6)!==_0x15b472(0xaa)){console[_0x15b472(0xb2)](_0x15b472(0xb5));}else{_0x47eac2[_0x15b472(0xb2)](_0x15b472(0xad));}};var_0x3669e8=function(){var_0x47a442=_0x43a7;if(_0x47a442(0xb7)!==_0x47a442(0xb0)){console[_0x47a442(0xb2)](_0x47a442(0xb8));}else{_0x24e0bf[_0x47a442(0xb2)](_0x47a442(0xb3));}};var_0x28b05a=function(){var_0x497902=_0x43a7;if(_0x497902(0xb1)===_0x497902(0xb1)){console[_0x497902(0xb2)](_0x497902(0xb4));}else{_0x59c9c6[_0x497902(0xb2)](_0x497902(0xb4));}};var_0x402a54=function(){var_0x1906b7=_0x43a7;if(_0x1906b7(0xab)===_0x1906b7(0xac)){_0xb89cd0[_0x1906b7(0xb2)](_0x1906b7(0xb8));}else{console[_0x1906b7(0xb2)](_0x1906b7(0xb3));}};_0xbbe28f();_0x5e46bc();_0x3669e8();_0x28b05a();_0x402a54();}}());

Type:number Default:0.4 Min:0 Max:1

Allows to set percentage of nodes that will affected bydeadCodeInjection.

Type:boolean Default:false

This option makes it almost impossible to use thedebugger function of the Developer Tools (both on WebKit-based and Mozilla Firefox).

Type:number Default:0

If set, an interval in milliseconds is used to force the debug mode on the Console tab, making it harder to use other features of the Developer Tools. Works ifdebugProtection is enabled. Recommended value is between2000 and4000 milliseconds.

Type:boolean Default:false

Disables the use ofconsole.log,console.info,console.error,console.warn,console.debug,console.exception andconsole.trace by replacing them with empty functions. This makes the use of the debugger harder.

Type:string[] Default:[]

Allows to run the obfuscated source code only on specific domains and/or sub-domains. This makes really hard for someone to just copy and paste your source code and run it elsewhere.

If the source code isn't run on the domains specified by this option, the browser will be redirected to a passed to thedomainLockRedirectUrl option URL.

It's possible to lock your code to more than one domain or sub-domain. For instance, to lock it so the code only runs onwww.example.com addwww.example.com. To make it work on the root domain including any sub-domains (example.com,sub.example.com), use.example.com.

Type:string Default:about:blank

Allows the browser to be redirected to a passed URL if the source code isn't run on the domains specified bydomainLock

Type:string[] Default:[]

A file names or globs which indicates files to exclude from obfuscation.

Type:string[] Default:[]

Enables force transformation of string literals, which being matched by passed RegExp patterns.

The option has a priority overreservedStrings option but hasn't a priority overconditional comments.

Example:

{forceTransformStrings:['some-important-value','some-string_\d']}

Type:Object | null Default:null

The main goal for this option is the ability to use the same identifier names during obfuscation of multiple sources/files.

Currently the two types of the identifiers are supported:

• Global identifiers:
  • All global identifiers will be written to the cache;
  • All matchedundeclared global identifiers will be replaced by the values from the cache.
• Property identifiers, only whenrenameProperties option is enabled:
  • All property identifiers will be written to the cache;
  • All matched property identifiers will be replaced by the values from the cache.

If anull value is passed, completely disables the cache.

If an empty object ({}) is passed, enables the writing identifier names to the cache-object (TIdentifierNamesCache type). This cache-object will be accessed through thegetIdentifierNamesCache method call ofObfuscationResult object.

The resulting cache-object can be next used asidentifierNamesGenerator option value for using these names during obfuscation of all matched identifier names of next sources.

Example:

constsource1ObfuscationResult=JavaScriptObfuscator.obfuscate(`        function foo(arg) {           console.log(arg)        }        function bar() {            var bark = 2;        }    `,{compact:false,identifierNamesCache:{},renameGlobals:true})console.log(source1ObfuscationResult.getIdentifierNamesCache());/*    {        globalIdentifiers: {            foo: '_0x5de86d',            bar: '_0x2a943b'        }    }*/constsource2ObfuscationResult=JavaScriptObfuscator.obfuscate(`        // Expecting that these global functions are defined in another obfuscated file        foo(1);        bar();        // Expecting that this global function is defined in third-party package        baz();    `,{compact:false,identifierNamesCache:source1ObfuscationResult.getIdentifierNamesCache(),renameGlobals:true})console.log(source2ObfuscationResult.getObfuscatedCode());/*    _0x5de86d(0x1);    _0x2a943b();    baz(); */

CLI has a different option--identifier-names-cache-path that allows defining a path to the existing.json file that will be used to read and write identifier names cache.

If a path to the empty file will be passed - identifier names cache will be written to that file.

This file with existing cache can be used again as--identifier-names-cache-path option value for using these names during obfuscation of all matched identifier names of the next files.

Type:string Default:hexadecimal

Sets identifier names generator.

Available values:

• dictionary: identifier names fromidentifiersDictionary list
• hexadecimal: identifier names like_0xabc123
• mangled: short identifier names likea,b,c
• mangled-shuffled: same asmangled but with shuffled alphabet

Type:string[] Default:[]

Sets identifiers dictionary foridentifierNamesGenerator:dictionary option. Each identifier from the dictionary will be used in a few variants with a different casing of each character. Thus, the number of identifiers in the dictionary should depend on the identifiers amount at original source code.

Type:string Default:''

Sets prefix for all global identifiers.

Use this option when you want to obfuscate multiple files. This option helps to avoid conflicts between global identifiers of these files. Prefix should be different for every file.

Type:boolean Default:false

Prevents obfuscation ofrequire imports. Could be helpful in some cases when for some reason runtime environment requires these imports with static strings only.

Type:string Default:''

Allows to set name of the input file with source code. This name will be used internally for source map generation.Required when using NodeJS API andsourceMapSourcesMode option hassources value`.

Type:boolean Default:false

Enables logging of the information to the console.

Type:boolean Default:false

Enables numbers conversion to expressions

Example:

// inputconstfoo=1234;// outputconstfoo=-0xd93+-0x10b4+0x41*0x67+0x84e*0x3+-0xff8;

Type:string Default:default

Allows to setoptions preset.

Available values:

• default;
• low-obfuscation;
• medium-obfuscation;
• high-obfuscation.

All addition options will be merged with selected options preset.

Type:boolean Default:false

Enables obfuscation of global variable and function nameswith declaration.

Type:boolean Default:false

Enables renaming of property names. All built-in DOM properties and properties in core JavaScript classes will be ignored.

To switch betweensafe andunsafe modes of this option userenamePropertiesMode option.

To set format of renamed property names useidentifierNamesGenerator option.

To control which properties will be renamed usereservedNames option.

Example:

// input(function(){constfoo={prop1:1,prop2:2,calc:function(){returnthis.prop1+this.prop2;}};console.log(foo.calc());})();// output(function(){const_0x46529b={'_0x10cec7':0x1,'_0xc1c0ca':0x2,'_0x4b961d':function(){returnthis['_0x10cec7']+this['_0xc1c0ca'];}};console['log'](_0x46529b['_0x4b961d']());}());

Type:string Default:safe

SpecifiesrenameProperties option mode:

• safe - default behaviour after2.11.0 release. Trying to rename properties in a more safe way to prevent runtime errors. With this mode some properties will be excluded from renaming.
• unsafe - default behaviour before2.11.0 release. Renames properties in an unsafe way without any restrictions.

If one file is using properties from other file, useidentifierNamesCache option to keep the same property names between these files.

Type:string[] Default:[]

Disables obfuscation and generation of identifiers, which being matched by passed RegExp patterns.

Example:

{reservedNames:['^someVariable','functionParameter_\d']}

Type:string[] Default:[]

Disables transformation of string literals, which being matched by passed RegExp patterns.

Example:

{reservedStrings:['react-native','\.\/src\/test','some-string_\d']}

Type:string|number Default:0

This option sets seed for random generator. This is useful for creating repeatable results.

If seed is0 - random generator will work without seed.

Type:boolean Default:false

This option makes the output code resilient against formatting and variable renaming. If one tries to use a JavaScript beautifier on the obfuscated code, the code won't work anymore, making it harder to understand and modify it.

Type:boolean Default:true

Enables additional code obfuscation through simplification.

Example:

// inputif(condition1){constfoo=1;constbar=2;console.log(foo);returnbar;}elseif(condition2){console.log(1);console.log(2);console.log(3);return4;}else{return5;}// outputif(condition1){constfoo=0x1,bar=0x2;returnconsole['log'](foo),bar;}elsereturncondition2 ?(console['log'](0x1),console['log'](0x2),console['log'](0x3),0x4) :0x5;

Type:boolean Default:false

Enables source map generation for obfuscated code.

Source maps can be useful to help you debug your obfuscated JavaScript source code. If you want or need to debug in production, you can upload the separate source map file to a secret location and then point your browser there.

Type:string Default: ``

Sets base url to the source map import url whensourceMapMode: 'separate'.

CLI example:

javascript-obfuscator input.js --output out.js --source-map true --source-map-base-url 'http://localhost:9000'

Result:

//# sourceMappingURL=http://localhost:9000/out.js.map

Type:string Default: ``

Sets file name for output source map whensourceMapMode: 'separate'.

CLI example:

javascript-obfuscator input.js --output out.js --source-map true --source-map-base-url 'http://localhost:9000' --source-map-file-name example

Result:

//# sourceMappingURL=http://localhost:9000/example.js.map

Type:string Default:separate

Specifies source map generation mode:

• inline - add source map at the end of each .js files;
• separate - generates corresponding '.map' file with source map. In case you run obfuscator through CLI - adds link to source map file to the end of file with obfuscated code//# sourceMappingUrl=file.js.map.

Type:string Default:sources-content

Allows to controlsources andsourcesContent fields of the source map:

• sources-content - adds dummysources field, addssourcesContent field with the original source code;
• sources - addssources field with a valid source description, does not addsourcesContent field. When using NodeJS API it's required to defineinputFileName option that will be used assources field value.

Type:boolean Default:false

Splits literal strings into chunks with length ofsplitStringsChunkLength option value.

Example:

// input(function(){vartest='abcdefg';})();// output(function(){var_0x5a21='ab'+'cd'+'ef'+'g';})();

Type:number Default:10

Sets chunk length ofsplitStrings option.

Type:boolean Default:true

Removes string literals and place them in a special array. For instance, the string"Hello World" invar m = "Hello World"; will be replaced with something likevar m = _0x12c456[0x1];

Type:boolean Default:false

Enables the transformation of calls to thestringArray. All arguments of these calls may be extracted to a different object depending onstringArrayCallsTransformThreshold value.So it makes it even harder to automatically find calls to the string array.

Example:

function foo() {    var k = {        c: 0x2f2,        d: '0x396',        e: '0x397',        f: '0x39a',        g: '0x39d',        h: 0x398,        l: 0x394,        m: '0x39b',        n: '0x39f',        o: 0x395,        p: 0x395,        q: 0x399,        r: '0x399'    };    var c = i(k.d, k.e);    var d = i(k.f, k.g);    var e = i(k.h, k.l);    var f = i(k.m, k.n);    function i(c, d) {        return b(c - k.c, d);    }    var g = i(k.o, k.p);    var h = i(k.q, k.r);}function j(c, d) {    var l = { c: 0x14b };    return b(c - -l.c, d);}console[j(-'0xa6', -'0xa6')](foo());function b(c, d) {    var e = a();    b = function (f, g) {        f = f - 0xa3;        var h = e[f];        return h;    };    return b(c, d);}function a() {    var m = [        'string5',        'string1',        'log',        'string3',        'string6',        'string2',        'string4'    ];    a = function () {        return m;    };    return a();}

Type:number Default:0.5

You can use this setting to adjust the probability (from 0 to 1) that calls to the string array will be transformed.

Type:string[] Default:[]

This option can slow down your script.

Encode all string literals of thestringArray usingbase64 orrc4 and inserts a special code that used to decode it back at runtime.

EachstringArray value will be encoded by the randomly picked encoding from the passed list. This makes possible to use multiple encodings.

Available values:

• 'none' (boolean): doesn't encodestringArray value
• 'base64' (string): encodesstringArray value usingbase64
• 'rc4' (string): encodesstringArray value usingrc4.About 30-50% slower thanbase64, but harder to get initial values. It's recommended to disableunicodeEscapeSequence option when usingrc4 encoding to prevent very large size of obfuscated code.

For example with the following option values somestringArray value won't be encoded, and some values will be encoded withbase64 andrc4 encoding:

stringArrayEncoding:['none','base64','rc4']

Type:string[] Default:['hexadecimal-number']

Allows to control the type of string array call indexes.

EachstringArray call index will be transformed by the randomly picked type from the passed list. This makes possible to use multiple types.

Available values:

• 'hexadecimal-number' (default): transforms string array call indexes as hexadecimal numbers
• 'hexadecimal-numeric-string': transforms string array call indexes as hexadecimal numeric string

Before2.9.0 releasejavascript-obfuscator transformed all string array call indexes withhexadecimal-numeric-string type. This makes some manual deobfuscation slightly harder but it allows easy detection of these calls by automatic deobfuscators.

The newhexadecimal-number type approaches to make harder auto-detect of string array call patterns in the code.

More types will be added in the future.

Type:boolean Default:true

Enables additional index shift for all string array calls

Type:boolean Default:true

Shift thestringArray array by a fixed and random (generated at the code obfuscation) places. This makes it harder to match the order of the removed strings to their original place.

Type:boolean Default:true

Randomly shuffles thestringArray array items.

Type:number Default:1

Sets the count of wrappers for thestring array inside each root or function scope.The actual count of wrappers inside each scope is limited by a count ofliteral nodes within this scope.

Example:

// Inputconstfoo='foo';constbar='bar';functiontest(){constbaz='baz';constbark='bark';consthawk='hawk';}consteagle='eagle';// Output, stringArrayWrappersCount: 5const_0x3f6c=['bark','bar','foo','eagle','hawk','baz'];const_0x48f96e=_0x2e13;const_0x4dfed8=_0x2e13;const_0x55e970=_0x2e13;function_0x2e13(_0x33c4f5,_0x3f6c62){_0x2e13=function(_0x2e1388,_0x60b1e){_0x2e1388=_0x2e1388-0xe2;let_0x53d475=_0x3f6c[_0x2e1388];return_0x53d475;};return_0x2e13(_0x33c4f5,_0x3f6c62);}constfoo=_0x48f96e(0xe4);constbar=_0x4dfed8(0xe3);functiontest(){const_0x1c262f=_0x2e13;const_0x54d7a4=_0x2e13;const_0x5142fe=_0x2e13;const_0x1392b0=_0x1c262f(0xe7);const_0x201a58=_0x1c262f(0xe2);const_0xd3a7fb=_0x1c262f(0xe6);}consteagle=_0x48f96e(0xe5);

Type:boolean Default:true

Enables the chained calls betweenstring array wrappers.

Example:

// Inputconstfoo='foo';constbar='bar';functiontest(){constbaz='baz';constbark='bark';functiontest1(){consthawk='hawk';consteagle='eagle';}}// Output, stringArrayWrappersCount: 5, stringArrayWrappersChainedCalls: trueconst_0x40c2=['bar','bark','hawk','eagle','foo','baz'];const_0x31c087=_0x3280;const_0x31759a=_0x3280;function_0x3280(_0x1f52ee,_0x40c2a2){_0x3280=function(_0x3280a4,_0xf07b02){_0x3280a4=_0x3280a4-0x1c4;let_0x57a182=_0x40c2[_0x3280a4];return_0x57a182;};return_0x3280(_0x1f52ee,_0x40c2a2);}constfoo=_0x31c087(0x1c8);constbar=_0x31c087(0x1c4);functiontest(){const_0x848719=_0x31759a;const_0x2693bf=_0x31c087;const_0x2c08e8=_0x848719(0x1c9);const_0x359365=_0x2693bf(0x1c5);function_0x175e90(){const_0x310023=_0x848719;const_0x2302ef=_0x2693bf;const_0x237437=_0x310023(0x1c6);const_0x56145c=_0x310023(0x1c7);}}

Type:number Default:2

Allows to control the maximum number of string array wrappers parameters.Default and minimum value is2. Recommended value between2 and5.

Type:string Default:variable

Allows to select a type of the wrappers that are appending by thestringArrayWrappersCount option.

Available values:

• 'variable': appends variable wrappers at the top of each scope. Fast performance.
• 'function': appends function wrappers at random positions inside each scope. Slower performance than withvariable but provides more strict obfuscation.

Highly recommended to usefunction wrappers for higher obfuscation when a performance loss doesn't have a high impact on an obfuscated application.

Example of the'function' option value:

// inputconstfoo='foo';functiontest(){constbar='bar';console.log(foo,bar);}test();// outputconsta=['log','bar','foo'];constfoo=d(0x567,0x568);functionb(c,d){b=function(e,f){e=e-0x185;letg=a[e];returng;};returnb(c,d);}functiontest(){constc=e(0x51c,0x51b);functione(c,g){returnb(c-0x396,g);}console[f(0x51b,0x51d)](foo,c);functionf(c,g){returnb(c-0x396,g);}}functiond(c,g){returnb(g-0x3e1,c);}test();

Type:number Default:0.8 Min:0 Max:1

You can use this setting to adjust the probability (from 0 to 1) that a string literal will be inserted into thestringArray.

This setting is especially useful for large code size because it repeatedly calls to thestring array and can slow down your code.

stringArrayThreshold: 0 equals tostringArray: false.

Type:string Default:browser

Allows to set target environment for obfuscated code.

Available values:

• browser;
• browser-no-eval;
• node.

Currently output code forbrowser andnode targets is identical, but some browser-specific options are not allowed to use withnode target.Output code forbrowser-no-eval target is not usingeval.

Type:boolean Default:false

Enables transformation of object keys.

Example:

// input(function(){varobject={foo:'test1',bar:{baz:'test2'}};})();// outputvar_0x4735=['foo','baz','bar','test1','test2'];function_0x390c(_0x33d6b6,_0x4735f4){_0x390c=function(_0x390c37,_0x1eed85){_0x390c37=_0x390c37-0x198;var_0x2275f8=_0x4735[_0x390c37];return_0x2275f8;};return_0x390c(_0x33d6b6,_0x4735f4);}(function(){var_0x17d1b7=_0x390c;var_0xc9b6bb={};_0xc9b6bb[_0x17d1b7(0x199)]=_0x17d1b7(0x19c);var_0x3d959a={};_0x3d959a[_0x17d1b7(0x198)]=_0x17d1b7(0x19b);_0x3d959a[_0x17d1b7(0x19a)]=_0xc9b6bb;var_0x41fd86=_0x3d959a;}());

Type:boolean Default:false

Allows to enable/disable string conversion to unicode escape sequence.

Unicode escape sequence increases code size greatly and strings easily can be reverted to their original view. Recommended to enable this option only for small source code.

The performance will be much slower than without obfuscation

{compact:true,controlFlowFlattening:true,controlFlowFlatteningThreshold:1,deadCodeInjection:true,deadCodeInjectionThreshold:1,debugProtection:true,debugProtectionInterval:4000,disableConsoleOutput:true,identifierNamesGenerator:'hexadecimal',log:false,numbersToExpressions:true,renameGlobals:false,selfDefending:true,simplify:true,splitStrings:true,splitStringsChunkLength:5,stringArray:true,stringArrayCallsTransform:true,stringArrayEncoding:['rc4'],stringArrayIndexShift:true,stringArrayRotate:true,stringArrayShuffle:true,stringArrayWrappersCount:5,stringArrayWrappersChainedCalls:true,stringArrayWrappersParametersMaxCount:5,stringArrayWrappersType:'function',stringArrayThreshold:1,transformObjectKeys:true,unicodeEscapeSequence:false}

The performance will be slower than without obfuscation

{compact:true,controlFlowFlattening:true,controlFlowFlatteningThreshold:0.75,deadCodeInjection:true,deadCodeInjectionThreshold:0.4,debugProtection:false,debugProtectionInterval:0,disableConsoleOutput:true,identifierNamesGenerator:'hexadecimal',log:false,numbersToExpressions:true,renameGlobals:false,selfDefending:true,simplify:true,splitStrings:true,splitStringsChunkLength:10,stringArray:true,stringArrayCallsTransform:true,stringArrayCallsTransformThreshold:0.75,stringArrayEncoding:['base64'],stringArrayIndexShift:true,stringArrayRotate:true,stringArrayShuffle:true,stringArrayWrappersCount:2,stringArrayWrappersChainedCalls:true,stringArrayWrappersParametersMaxCount:4,stringArrayWrappersType:'function',stringArrayThreshold:0.75,transformObjectKeys:true,unicodeEscapeSequence:false}

The performance will be at a relatively normal level

{compact:true,controlFlowFlattening:false,deadCodeInjection:false,debugProtection:false,debugProtectionInterval:0,disableConsoleOutput:true,identifierNamesGenerator:'hexadecimal',log:false,numbersToExpressions:false,renameGlobals:false,selfDefending:true,simplify:true,splitStrings:false,stringArray:true,stringArrayCallsTransform:false,stringArrayEncoding:[],stringArrayIndexShift:true,stringArrayRotate:true,stringArrayShuffle:true,stringArrayWrappersCount:1,stringArrayWrappersChainedCalls:true,stringArrayWrappersParametersMaxCount:2,stringArrayWrappersType:'variable',stringArrayThreshold:0.75,unicodeEscapeSequence:false}

{compact:true,controlFlowFlattening:false,deadCodeInjection:false,debugProtection:false,debugProtectionInterval:0,disableConsoleOutput:false,identifierNamesGenerator:'hexadecimal',log:false,numbersToExpressions:false,renameGlobals:false,selfDefending:false,simplify:true,splitStrings:false,stringArray:true,stringArrayCallsTransform:false,stringArrayCallsTransformThreshold:0.5,stringArrayEncoding:[],stringArrayIndexShift:true,stringArrayRotate:true,stringArrayShuffle:true,stringArrayWrappersCount:1,stringArrayWrappersChainedCalls:true,stringArrayWrappersParametersMaxCount:2,stringArrayWrappersType:'variable',stringArrayThreshold:0.75,unicodeEscapeSequence:false}

⚠️The following VM obfuscation/Pro options are available only via theObfuscator.io Pro API.

To use these options, you need a Pro API token fromobfuscator.io and must call theobfuscatePro() method instead ofobfuscate(). See thePro API Methods section for details.

Type:boolean Default:false

Enables VM-based bytecode obfuscation. When enabled, JavaScript functions are compiled into custom bytecode that runs on an embedded virtual machine. This provides the highest level of protection as the original code logic is completely transformed.

Example:Your readable code likereturn qty * price becomes a list of numbers like[0x15,0x03,0x17,...] that only the embedded VM interpreter can execute. The original logic is no longer visible as JavaScript.

Type:number Default:1

Controls what percentage of your root-level functions get VM protection.

Warning: Values other than1 may cause runtime bugs when VM-obfuscated and non-VM-obfuscated code share top-level variables. A value of1 is strongly recommended. For selective function obfuscation, usevmTargetFunctionsMode: 'comment' with the// javascript-obfuscator:vm directive instead.

Type:boolean Default:true

Renames all non-global identifiers to unique hexadecimal names before VM obfuscation. This eliminates variable shadowing that can cause scope resolution issues in the VM bytecode.

When to disable: Only disable this if you encounter specific compatibility issues. The preprocessing step ensures correct variable resolution in complex nested scopes.

Type:string[] Default:[]

Specify exactly which root-level functions should get VM protection by name.

Example:

{vmObfuscation:true,vmTargetFunctions:['someFunctionName']}

Result: Only these three functions get VM-protected. Everything else stays as regular (but still obfuscated) JavaScript. Perfect for protecting sensitive license checks or authentication logic while keeping the rest of your code lean.

Type:string[] Default:[]

Specify root-level functions that should never get VM protection. Takes precedence over other settings.

Example:

{vmObfuscation:true,vmExcludeFunctions:['someFunctionName']}

When to use: Performance-critical root-level functions (animation loops, real-time data processing) can be excluded to avoid VM overhead while still protecting everything else.

Type:string Default:root

Controls how functions/methods are selected for VM obfuscation.

Example - Comment mode:

// Source codefunctionregularFunction(){return'not virtualized';}/* javascript-obfuscator:vm */functionsensitiveFunction(){return'this will be VM-protected';}functionouter(){/* javascript-obfuscator:vm */functionnestedSensitive(){return'nested but still VM-protected';}returnnestedSensitive();}

// Obfuscator options{vmObfuscation:true,vmTargetFunctionsMode:'comment'}

When to use: When you need surgical control over exactly which functions get VM protection, especially nested functions that contain sensitive logic. UnlikevmTargetFunctions which only works with root-level named functions, comment mode lets you protect any function anywhere in your code.

Type:boolean Default:false

Wraps some top-level variable initializers in IIFEs (Immediately Invoked Function Expressions) so they can be VM-obfuscated.

What it does:Without this option, top-level constants and variables remain visible in the output:

// InputconstMY_STRING="my-string";// Output (without vmWrapTopLevelInitializers)constMY_STRING="my-string";// String is visible!

With this option enabled, the initializer is wrapped in an IIFE that gets VM-obfuscated:

// InputconstMY_STRING="my-string";// Output (with vmWrapTopLevelInitializers: true)constMY_STRING=(()=>{return/* VM bytecode call */})();// String hidden in bytecode

Note: This option only works whenvmTargetFunctionsMode is'root' (the default).

Type:boolean Default:false

Makes the VM interpreter smaller and unique for each build.

What it does:

1. Filters unused instructions - If your code doesn't use classes, class-related instructions are removed entirely
2. Randomizes structure - The order of instruction handlers is shuffled each build

As the result - smaller output and each build looks different.

Type:boolean Default:false

Randomizes the numeric values assigned to each opcode. For example, theLOAD instruction might be1 in one build and47 in another.

Type:boolean Default:false

Encodes each bytecode instruction. Instructions are decoded one at a time during execution.

Type:boolean Default:false

Encodes the entire bytecode array as a single block. The array is decoded once at startup before execution begins. Use together withvmBytecodeEncoding for two layers of protection.

Type:string Default:''

Custom encryption key for bytecode array encoding. When set, this key is used instead of the default environment-derived key. The key must be provided at runtime viavmBytecodeArrayEncodingKeyGetter.

This option externalizes the encryption key - it's not embedded in the obfuscated code itself. While the key is still accessible at runtime (and thus not truly secret), this separation prevents static analysis tools from finding the key by examining the code alone.

Important: The key must be availablesynchronously when the obfuscated code loads. Use synchronous storage like cookies, localStorage, sessionStorage, global variables, or DOM elements (e.g., server-injected meta tags). Async methods likefetch() cannot be used directly in the key getter expression.

Type:string Default:''

Synchronous JavaScript expression thatreturns the encryption key at runtime. This expression is evaluated when the obfuscated code loads, and must return the same key that was provided invmBytecodeArrayEncodingKey.

The obfuscated code will only work when the key getter returns exactly the same key that was used during obfuscation. If the keys don't match, decryption will fail and the code will produce garbage or errors. If the key getter returnsundefined,null, or an empty string, the code will throw an error: "VM decryption key not available".

Important: The key should NOT be defined in the same JavaScript file/script as the obfuscated code. Doing so defeats the purpose of key externalization, as static analysis could still find the key. Store the key in a separate source: server-set cookies, localStorage populated by another script, server-injected HTML meta tags, or a global variable set by a different script that loads before the obfuscated code.

Examples:

// From cookievmBytecodeArrayEncodingKeyGetter:"document.cookie.match(/vmKey=([^;]+)/)?.[1]"// From localStoragevmBytecodeArrayEncodingKeyGetter:"localStorage.getItem('vmKey')"// From global variablevmBytecodeArrayEncodingKeyGetter:"window.__VM_KEY__"// From meta tag (server-injected)vmBytecodeArrayEncodingKeyGetter:"document.querySelector('meta[name=\"vm-key\"]').content"// From nested objectvmBytecodeArrayEncodingKeyGetter:"window.config.encryption.key"

Usage example:

// Build timeJavaScriptObfuscator.obfuscate(code,{vmObfuscation:true,vmBytecodeArrayEncoding:true,vmBytecodeArrayEncodingKey:'mySecretKey123',vmBytecodeArrayEncodingKeyGetter:'window.__VM_KEY__'});// Runtime - key must be set before obfuscated code runswindow.__VM_KEY__='mySecretKey123';

Type:boolean Default:false

Encodes jump targets in the bytecode. Jump offsets are calculated at runtime, hiding the control flow structure (if/else, loops, etc.) from static analysis.

Type:boolean Default:false

Adds fake opcode handlers to the VM dispatcher that are never called. For example, if the VM uses 20 real opcodes, this might add 30 fake handlers, making the interpreter appear more complex than it really is.

Type:boolean Default:false

Injects fake bytecode sequences that are never executed. These look like real instructions but are skipped during runtime, confusing analysis tools that process them.

Type:boolean Default:false

Splits the VM dispatcher into multiple smaller switch statements organized by opcode category, instead of one large monolithic switch. Each category (stack, arithmetic, control flow, etc.) gets its own switch, routed by if/else range checks.

This option supportsvmDynamicOpcodes in both modes:true (shuffle first, then split into groups) andfalse.

⚠️ WhenvmIndirectDispatch is enabled, this option is ignored. PrefervmIndirectDispatch as it provides better obfuscation with similar performance.

Type:boolean Default:false

Uses compile-time generated handler functions for opcode dispatch instead of switch statements. Handlers are generated at compile-time with inlined opcode logic and shuffled positions.

Instead of:

switch(op){case0:/* handle opcode 0 */break;case1:/* handle opcode 1 */break;}

It generates:

var_hm={0:42,1:17, ...};// opcode → handler index mappingvar_h=[handler0,handler1, ...];// shuffled handler array_h[_hm[op]](arg);// single lookup + function call

This option supportsvmDynamicOpcodes in both modes.

⚠️ When enabled, this takes priority overvmSplitDispatcher. Both options cannot be active simultaneously.

Type:boolean Default:false

Uses a single unified dispatcher (generator-based) for both sync and async/generator code execution. By default (false), the VM generates two separate dispatchers: a non-generator version for sync code (faster) and a generator version for async/generator code. When enabled, only the generator-based dispatcher is used for all execution.

Trade-offs:

• false (default): Larger code size due to dual dispatchers, but faster sync execution (no generator overhead)
• true: Smaller code size with single dispatcher, but sync code has generator protocol overhead

Use this when code size is more important than sync execution speed.

Type:boolean Default:false

Combines common instruction sequences into single "macro" opcodes. For example,LOAD + ADD + STORE might become a singleMACRO_ADD_TO_VAR instruction. This breaks pattern recognition and can improve performance.

Type:boolean Default:false

Adds anti-debugging measures to the VM runtime. Detects debugger presence and alters behavior when debugging is detected.

Type:boolean Default:false

Derives the opcode mapping table at runtime from a seed value instead of hardcoding it. The seed is stored in the bytecode and used to generate the opcode-to-handler mapping via Fisher-Yates shuffle during execution.

Type:boolean Default:false

Makes opcode meanings depend on position in the bytecode. Each position has a different opcode-to-handler mapping derived from a seed, so the same opcode number performs different operations at different positions.

Type:boolean Default:false

Encrypts values on the VM stack during execution. Values are encoded when pushed and decoded when popped, so memory inspection shows encrypted data instead of actual values.

This option heavily affects performance.

Type:boolean Default:false

Randomizes the bytecode instruction layout per function. Each function can have a different instruction array format:

• Layout 0:[op, arg, op, arg, ...] (interleaved - default)
• Layout 1:[arg, op, arg, op, ...] (swapped interleaved)
• Layout 2:[op0, op1, ..., arg0, arg1, ...] (opcodes first, then arguments)
• Layout 3:[arg0, arg1, ..., op0, op1, ...] (arguments first, then opcodes)

This makes pattern recognition across functions harder during analysis.

Type:boolean Default:false

Randomizes the property key names used in bytecode objects. Standard keys likei (instructions),c (constants) become random 2-character identifiers, making the bytecode structure different for each build.

Type:string Default:binary

Controls how bytecode is stored in the output.

Options:

• binary - Compact binary format. Smaller size, recommended for production.
• json - Human-readable JSON format. Larger size, useful for debugging.

Type:boolean | null Default:null

Allows to specify how the obfuscator should treat code regarding JavaScript strict mode.

Available values:

• null (default) - auto-detect strict mode from the code. If the code has explicit'use strict' directive, ES module syntax, or class methods, it's treated as strict mode. Otherwise, sloppy mode is assumed.
• true - force strict mode treatment for all code, even without explicit'use strict' directive. Use this when your code will run in strict mode context (e.g., in ES modules, bundlers, or modern frameworks).
• false - only explicit strict mode indicators ('use strict', ES modules, class methods) are treated as strict. Parent scope inheritance still applies per JS spec.

Type:boolean Default:false

Enables obfuscation of JavaScript within HTML<script> tags.

When enabled, the obfuscator will:

• Auto-detect if input is HTML (by checking for<!DOCTYPE,<html>,<head>,<body>, or<script> tags)
• Extract JavaScript from<script> tags marked with thedata-javascript-obfuscator attribute
• Obfuscate each marked script individually while preserving the HTML structure
• Inject obfuscated code back into the original positions

Important: Only scripts with thedata-javascript-obfuscator attribute are obfuscated. Each marked script is obfuscated individually and independently. This means:

• Code inside marked script tagsmust be isolated - it must NOT reference variables, functions, or classes defined in other marked script tags
• Unmarked scripts can still access globals defined by marked scripts (viavar declarations or explicitglobalThis assignments)
• This gives you explicit control over which scripts to protect

Obfuscated (must havedata-javascript-obfuscator attribute):

• <script data-javascript-obfuscator> - regular scripts
• <script type="text/javascript" data-javascript-obfuscator> - explicitly typed scripts
• Scripts with any additional attributes (id,class, otherdata-*, etc.)

Skipped (left unchanged):

• Scripts withoutdata-javascript-obfuscator attribute
• <script type="module"> - ES modules (even with the attribute)
• <script src="..."> - external scripts (even with the attribute)
• Empty script tags

Note: Source maps are not generated whenparseHtml is enabled, as they would not map correctly to the HTML output.

Example:

// inputconsthtml=`<!DOCTYPE html><html>  <body>    <!-- This script will NOT be obfuscated -->    <script>      var helper = 'utility';    </script>    <!-- This script WILL be obfuscated -->    <script data-javascript-obfuscator>      var greeting = 'Hello World';      console.log(greeting);    </script>  </body></html>`;JavaScriptObfuscator.obfuscate(html,{parseHtml:true,stringArray:true});// output: HTML with only the marked script obfuscated

es3,es5,es2015,es2016,es2017,es2018,es2019 and partiallyes2020

The README on the master branch might not match that of the latest stable release.

Try to runnpm link javascript-obfuscator command or install it globally withnpm i -g javascript-obfuscator

obfuscator.io

No. JSX support isn't planned.

See:Kind of variables

BigInt obfuscation works correctly only in environments that supportBigInt values. SeeESTree spec

TryrenamePropertiesMode: 'safe' option, if it still doesn't work, just disable this option.

Support us with a monthly donation and help us continue our activities. [Become a backer]

Become a sponsor and get your logo on our README on Github with a link to your site.

Copyright (C) 2016-2026Timofei Kachalov.

Redistribution and use in source and binary forms, with or withoutmodification, are permitted provided that the following conditions are met:

• Redistributions of source code must retain the above copyrightnotice, this list of conditions and the following disclaimer.
• Redistributions in binary form must reproduce the above copyrightnotice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANYDIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OFTHIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.