Section

Getting Started

Obfuscator.io transforms your readable source code into a protected version that's difficult to understand and reverse-engineer. It's perfect for protecting proprietary algorithms, licensing logic, and business-critical code.

Welcome to Obfuscator.io

This guide walks you through obfuscating your first file, choosing a preset, and understanding the options panel. For deeper dives, see the VM Obfuscation, Basic Obfuscation, and Best Practices sections.

Need Help?

If you encounter any problems with VM obfuscation, please report them to support@obfuscator.io.

When reporting an issue, please include: the error message, your environment (browser/Node.js version), the preset and options used, and if possible, a minimal code sample that reproduces the problem.

Quick Start

1. Paste your code
Enter your JavaScript code in the left editor panel. You can paste code directly or use the file upload feature for batch processing.
2. Choose a preset
Select a preset from the dropdown in the Options panel. Start with Low Obfuscation for minimal changes or Medium Obfuscation for balanced protection. VM presets provide the strongest security.
3. Click "Obfuscate"
Hit the Obfuscate button to transform your code. The protected output appears in the right panel.
4. Copy or download
Use the Copy button or Download to get your obfuscated code. The output is ready to use in production.

Code Compatibility

Important

Obfuscation (both VM and non-VM) transforms your code in ways that affect certain JavaScript runtime behaviors. Your code must not rely on these features:

function.toString() / class.toString()
Obfuscation completely changes the source code representation. Code that parses or compares function source will break.
function.name / class.name
Function and class names are renamed to random identifiers. Code that relies on .name for logging, serialization, or reflection will get obfuscated names.

// Before obfuscation
function calculatePrice() { return 100; }
console.log(calculatePrice.name);     // "calculatePrice"
console.log(calculatePrice.toString()); // "function calculatePrice() { return 100; }"

// After obfuscation
console.log(calculatePrice.name);     // "_0x1a2b3c" (random)
console.log(calculatePrice.toString()); // Completely transformed code

Tip: If you need to preserve function names for specific purposes (like error reporting), define them as string constants instead of relying on .name.

Basic Options

Before obfuscating, configure these basic options to match your target environment.

Target

target

Specifies the execution environment for the obfuscated code:

browser (default) — standard web page environment. Output code is identical to node, but some browser-specific options are not allowed to use with the node target.
browser-no-eval — same as browser, but the output does not use eval(). Use when the target page has a Content Security Policy that forbids eval/unsafe-eval.
node — Node.js environment. Browser-specific options are disabled (they require window/document and would be no-ops or throw in Node). Some vmSelfDefending defenses that rely on browser-only APIs — headless-browser detection, iframe-based clean-realm recovery, anti-inspector/DOM checks — are not emitted for this target.
service-worker — Service Worker context. No window, no document, different self global.
userscript — userscript manager sandbox (e.g. Tampermonkey). vmSelfDefending defences are adjusted accordingly. Requires obfuscator v6.9.0+.

Strict Mode

strictMode

Controls how the obfuscator handles JavaScript strict mode:

Auto (default) — Auto-detect strict mode from the code. The obfuscator analyzes your code for "use strict" directives
Enable — Force strict mode treatment for all code, regardless of whether "use strict" is present
Disable — Only explicit "use strict" directives in the source code are treated as strict mode

Tip: If your bundler adds "use strict" automatically (like Webpack in production), but you obfuscate before bundling, set this to Enable to ensure correct behavior.

Understanding Presets

Presets are pre-configured option combinations. There are two separate groups:

VM Presets

Pro

(bytecode virtualization)

Preset	Security	Performance	Features
`VM Low`	Good	~3.5x	Basic VM, indirect dispatch
`VM Medium`	Strong	~4-5x	+ Opcode shuffle, encoding, decoys
`VM High`	Very Strong	~5-6x	+ Dead code, stateful opcodes, stack encoding
`VM Ultra High`	Maximum	~12-20x	+ Non-VM obfuscation layers

Non-VM Presets

(standard obfuscation)

Preset	Protection	Performance	Features
`Default`	Basic	Minimal	String array, simplify
`Low`	Light	~1.1x	+ Self-defending, disable console
`Medium`	Moderate	~1.5x	+ Control flow, dead code, base64
`High`	Strong	~2x	+ Debug protection, rc4 encoding

VM presets provide significantly stronger protection by converting code to bytecode. Use them for your most sensitive functions while keeping the rest of your code on non-VM presets for better performance.

Interface Overview

Input Editor
— Paste or type your JavaScript source code. Drag & drop files or use the upload button. HTML files with inline scripts are also supported
Pro
.
Output Panel
— Displays the obfuscated result. Use Copy or Download buttons to get the protected code.
Preset Selector
— Choose VM or Non-VM presets. VM presets are grouped at the top. The preset determines base options that you can customize.
Options Panel
— Fine-tune obfuscation settings. Click the ? icon next to any option to see its documentation.
Obfuscate Button
— Transforms your code using selected options. VM presets are processed server-side; non-VM presets run in your browser.
Multi-file Upload

Pro
— Process multiple files at once and download as ZIP.
History Panel

Pro
— Access your previous obfuscations and restore input/output.

VM Obfuscation