JSONShield
securityjsonprivacydevtools

Your JSON Formatter Might Be Leaking Your API Keys

Your JSON Formatter Might Be Leaking Your API Keys

In November 2025, security researcher @swati_sys disclosed that jsonformatter.org -- one of the most popular online JSON formatting tools -- had been storing user-submitted data server-side without encryption. An exposed S3 bucket leaked approximately 80,000 files containing raw JSON payloads submitted by developers. Those payloads included API keys, database credentials, OAuth tokens, PII, and internal configuration data.

Let that sink in. Developers were pasting their production secrets into a web form, and those secrets were sitting in a public bucket.

Why This Happens

The workflow is completely natural. You get a blob of JSON from an API response, a log file, or a config dump. It's minified or poorly formatted. You Google "JSON formatter," click the first result, paste your data, and hit Format.

What you might not realize is that many of these tools send your data to a server for processing. They do this because:

  • Server-side processing is easier to implement
  • It lets them log usage metrics (and your data is the metric)
  • Some add "advanced" features like schema validation that run server-side
  • Ad-funded tools use server processing to inject analytics

The formatting itself is trivial -- JSON.parse() + JSON.stringify(obj, null, 2) handles it in two lines of JavaScript. There is absolutely no technical reason to send your JSON to a server.

How to Check if a Tool Is Client-Side

Before you paste anything sensitive into a web tool, take 30 seconds to verify it processes data locally:

Method 1: Check the Network tab

  1. Open your browser's DevTools (F12 or Cmd+Option+I)
  2. Go to the Network tab
  3. Clear existing requests
  4. Paste some test JSON and click Format
  5. Look at the network requests that fire

If you see a POST request to the tool's API with your JSON in the payload, your data is being sent to a server. If the only requests are for static assets, ads, or analytics pings (without your JSON data), processing is likely client-side.

Method 2: Disconnect and test

  1. Open the tool in your browser
  2. Disconnect from the internet (turn off WiFi)
  3. Paste JSON and try to format it

If it still works offline, it's client-side. If it breaks, it requires a server.

Method 3: Read the source

For open-source tools, check the code. Look for fetch() or XMLHttpRequest calls in the formatting logic. If the format button triggers only local DOM manipulation, you're safe.

Safe Alternatives

Here are tools I've verified process JSON entirely in your browser:

  1. Your own terminal -- The safest option. Use jq or Python:
   echo '{"key":"value"}' | jq .
   # or
   echo '{"key":"value"}' | python3 -m json.tool

  1. VS Code -- Open a .json file and hit Shift+Alt+F (or Shift+Option+F on Mac). Your data never leaves your machine.

  1. jsonshield.com -- A client-side JSON formatter specifically built with a privacy-first approach. No data leaves your browser. You can verify by checking the Network tab or testing offline.

  1. Firefox's built-in JSON viewer -- Navigate to any .json URL or type about:debugging and use the JSON panel. Built into the browser, no extensions needed.

Broader Security Habits for Development

The JSON formatter breach is a symptom of a larger problem: developers routinely paste sensitive data into web tools without thinking about where that data goes. Here's how to protect yourself:

Audit your tool usage

Make a list of every online tool you paste data into. For each one, ask: does this need to see my real data? Could I use dummy data instead?

Use environment variables, not config files

If your workflow involves copying API keys out of config files to debug them, your keys are more likely to end up in the wrong place. Use environment variables and access them programmatically.

Rotate keys after suspected exposure

If you've been pasting production credentials into online tools, rotate those keys now. Not tomorrow, not next sprint. Now. Treat it as a security incident.

Set up secret scanning

Enable GitHub's secret scanning (or tools like GitLeaks, TruffleHog) on your repositories. These catch leaked credentials before they reach production.

Establish a team policy

If you work on a team, create a short policy: "Never paste production credentials into online tools. Use local tools for formatting and validation." Pin it in your team's Slack channel.

The Takeaway

The convenience of online developer tools is real, but so is the risk. A tool that takes 2 seconds to use can create a security incident that takes weeks to remediate. Before you paste, check the Network tab. Better yet, default to local tools for anything sensitive.

Your JSON formatter should format your JSON -- not copy it to someone else's server.

Have you been affected by the jsonformatter.org breach? Share your experience in the comments so others can learn from it.

Share:Share on Twitter

Related Tools

JSON Formatter
Format and beautify JSON
JSON Validator
Validate JSON with error locations
JSON Fixer
Auto-repair broken JSON from LLMs
JSON Minifier
Compress JSON to a single line
Want API access + no ads? Pro coming soon.