buncha.tools
Blog / A JSON Formatter That Doesn't See Your Data
developerjsonprivacytools

A JSON Formatter That Doesn't See Your Data

May 5, 2026·4 min read

JSON formatting is the most-used dev tool on the internet. Every API response, every config file, every webhook payload, every error log — engineers paste them into a formatter dozens of times a day. The top Google result for "JSON formatter" gets billions of pastes per year.

That formatter — and its top-10 competitors — almost universally do their work server-side. You paste; their server parses; they return formatted output. The privacy implication of that flow is worth thinking through.

What gets pasted into a JSON formatter

Consider a few categories of typical paste:

  • API responses with user data — names, emails, addresses, phone numbers, internal user IDs.
  • Webhook payloads — Stripe events with charge amounts and partial card details, OAuth callbacks with tokens.
  • Error logs — stack traces with file paths, request bodies, sometimes including auth headers.
  • Internal config — database connection strings, API keys (if you're being careless), feature flags.
  • GraphQL queries / responses — the schema of your application.

Each of these is being voluntarily sent to a third party — typically with no encryption beyond TLS in transit, then sitting in their server logs. JSON formatters get to read every paste. The popular ones are run by companies that monetize via ads, freemium upgrades, or enterprise plans — none of those business models pay for the security and retention practices an enterprise log-management vendor would.

The "we don't store anything" claims

The big formatters all have privacy-policy language saying they don't store the data you paste. Let's take that at face value — server logs almost universally retain entries for at least 30 days for operational reasons (debugging, abuse detection, billing reconciliation). "We don't store the JSON" usually means "we don't keep it after the response" — which is technically true and operationally meaningless if your log captures every request body.

A more privacy-honest position: there's no reason for a JSON formatter to see the data at all. The work is purely client-side computation.

Browser-only JSON formatting

Buncha's JSON Formatter parses, validates, and pretty-prints in JavaScript that runs in your browser. Pull up the network tab while you paste — there's no outbound request during the formatting. The data never leaves your machine.

Capabilities:

  • Format / minify — pretty-print with 2-space (or 4-space, or tab) indentation, or strip whitespace for transport.
  • Validate — points to errors with line/column.
  • JSON5 / JSONC — comments (//, /* */) and trailing commas tolerated on parse, stripped on output (because real JSON doesn't allow them).
  • Folding — collapse long arrays/objects via the depth slider.
  • Copy — formatted output to clipboard with one click.

Same browser-only property is true across the rest of the developer tools — JWT decoder, Base64, URL encoder, hash generator, regex tester, diff checker. All of them are pure-function transformations on text. There's no reason any of them need to round-trip through a server.

What about huge JSON files?

The browser approach has one real limit: very large files. Browsers handle 10 MB of JSON comfortably; 100 MB starts to stutter on the format pass; 1 GB is going to crash the tab. For files that big, you'd want a CLI tool (jq, fx) running locally, not a web tool either way.

Server-side formatters often handle larger inputs because they have more memory and can stream the parse. That's a real advantage — but most pastes are <1 MB, where the browser path is faster (no upload time) and the privacy story is different.

The broader pattern

JSON formatters are the easy case for "this should run in the browser" — they're pure functions on plain text, no heavy ML, no networked dependency. Most "small" dev tools fit the same pattern. If you find yourself repeatedly pasting sensitive data into a third-party tool that does pure-function transformations, it's worth checking whether the same job exists as a browser-only version.

For the JSON case specifically: there's no reason to give a stranger your API responses. The browser handles this fine.

Try these tools for free
100+ free tools for developers, designers, writers, and students.
Browse all tools

More from the blog

WebP vs AVIF vs JPG: Which Image Format Should You Use in 2026?
8 min read
How to Convert WebP to PNG (Without an Account or Upload)
4 min read
b
Built browser-first. Run by one developer.
Every tool runs on your device. No tracking pixels, no sign-up to start. The numbers below are pulled live from the registry.
240
Free tools
Across 14 categories
7
Visual editors
PDF · image · video · audio
32
Curated kits
By profession + lifestyle
17
AI tools
Powered by Claude API
Files never uploadNo tracking pixelsNo sign-up neededWorks in any modern browser
The handful of AI tools (paraphrase, summarise, blog, captions, etc.) send your prompt text to Anthropic's Claude API to do the work. Files, images, PDFs and video never leave your device. Pick the tools that fit your privacy comfort.