Never Paste API Keys Into a JSON Formatter Again
In November 2025, two of the most popular online JSON formatters exposed years of user-submitted data. 5GB of credentials. Banks. Government agencies. Fortune 500 companies. The lesson is simple: if a tool sends your JSON to a server, your secrets go with it.
What Actually Happened at jsonformatter.org
In November 2025, researchers at watchTowr Labs — a Singapore-based offensive security firm — published a disclosure revealing that jsonformatter.org and codebeautify.org had been logging user submissions server-side for years. The exposed data totalled 5GB across more than 80,000 files.
This wasn't a sophisticated attack. There was no SQL injection, no zero-day. The data was simply… there. Sitting in an accessible location, waiting for someone to look. The tools had been collecting everything developers pasted into them — and storing it with no apparent expiration policy.
According to The Hacker News' coverage (thehackernews.com), the archive contained credentials from financial institutions, government agencies, and technology companies. BleepingComputer confirmed (bleepingcomputer.com) that the exposure included active API keys, not just historical data.
jsonformatter.org serves roughly 2.4 million monthly visitors according to Similarweb's October 2025 data. At that traffic scale, even a small fraction of users pasting sensitive data amounts to an enormous credential exposure surface.
What Was in Those 5GB of Data
The watchTowr Labs disclosure identified these categories of credentials in the exposed archive:
Cloud Infrastructure
- AWS access keys and secret keys
- GCP service account JSON files (entire auth objects)
- Azure connection strings
Application Credentials
- GitHub personal access tokens and app secrets
- Stripe secret keys (live, not test)
- Slack bot tokens and webhook URLs
Database Credentials
- PostgreSQL and MySQL connection strings
- MongoDB Atlas connection URIs
- Redis AUTH passwords
Internal Systems
- Internal API endpoints with authentication tokens
- JWT signing secrets
- OAuth client secrets
The organizations affected spanned banking, government, and technology sectors. This matters because JSON is the default format for almost every API response, config export, and environment variable file. Developers paste it constantly — often without thinking about what's inside.
How These Tools Store Your Data
Most online JSON formatters work the same way: you paste data, a JavaScript event fires, the data is sent via XHR or fetch to an API endpoint, the server processes and returns the formatted result, and the formatted JSON appears in your browser. The server-side processing step is the problem. Once your data hits a server, it can be logged, stored, indexed, or leaked — intentionally or not.
In jsonformatter.org's case, the tool appears to have stored submissions for features like history, sharing, and analytics. The storage was never intended as malicious — but inadequate access controls meant the stored data became accessible.
The Risk Hierarchy
How to Check if Your JSON Formatter Phones Home
This takes 30 seconds and requires no special tools — just your browser's built-in DevTools.
Open the formatter you want to test
Navigate to the tool in your browser.
Open DevTools and go to the Network tab
Press F12 (or Cmd+Option+I on Mac), click "Network". Make sure "All" is selected in the filter bar.
Clear existing requests
Click the clear button (trash icon) to start fresh.
Paste some JSON
Paste something like {"test": "hello"}. Watch the Network tab immediately.
Look for outbound POST requests
If you see any POST, XHR, or fetch requests firing after paste — especially to external URLs — your data is leaving your browser.
A browser-only tool shows zero network activity when you format JSON. You can even take it offline: disconnect your internet and try formatting — it should still work.
Safe Alternatives That Run Entirely in Your Browser
Processes entirely client-side using browser JavaScript. Format, validate, minify, and repair JSON with zero server contact. You can verify this yourself in DevTools — paste any JSON and watch the Network tab show nothing.
Open any .json file and press Shift+Alt+F (Windows/Linux) or Shift+Option+F (Mac). Completely local.
For terminal users, jq is the gold standard:
FAQ
Is it safe to paste API keys into online JSON formatters?
No. Most online JSON formatters send your input to their servers. In November 2025, jsonformatter.org and codebeautify stored user submissions and exposed 5GB of credentials. Use a browser-only formatter that processes data locally.
What should I do if I've already pasted API keys into an online formatter?
Rotate your keys immediately. Go to AWS IAM, GitHub Settings, Stripe Dashboard, or wherever the key was issued, and generate a new one. Revoke the old key. Don't wait — exposed credentials get harvested quickly by automated scanners.
How do I know if a JSON formatter sends data to a server?
Open DevTools (F12) → Network tab → paste JSON → watch for outbound POST requests. If you see any, your data is leaving your browser. A browser-only tool shows zero network activity.
Are there any browser extensions for safe JSON formatting?
Yes. JSONView (Chrome/Firefox) formats JSON directly in your browser for API responses and .json files, with no data transmission. It's fully local.
Format JSON Without Sending It Anywhere
Our JSON formatter runs 100% in your browser. No servers. No logs. No accounts. Your data never leaves this tab — you can disconnect your Wi-Fi and it still works.