Obfuscate
Paste PHP or JavaScript, choose expiry and restrictions, then download a ready-to-ship protected package.
What changed
Protection without the scary loader
The default PHP output no longer uses eval(). It validates the license token first, decodes the payload, writes a protected runtime cache file, and loads it with require. JavaScript output uses a validated Blob script loader instead of runtime evaluation.
No-eval default
Generated files avoid the keyword that security scanners and customers usually dislike.
Server-side control
Tokens can expire and can be tied to a customer server or domain.
Safer signup
Registration is checked before account creation and before activation mail is sent.
Core workflow
Built for licensed code delivery
Validate
Every protected file checks the inDark validator before loading the decoded payload.
Clarify
Owners can decode their own protected files with the correct token for audit and recovery.
Security stance
Practical controls, not theater
Obfuscation is not a replacement for secure architecture, but it can protect commercial logic, reduce casual copying, and enforce license rules when paired with token validation and logging.
Expiration
Limit generated packages to a defined number of days or issue long-lived tokens when needed.
IP and domain rules
Restrict execution to a server IP or a customer domain, enforced by the validator.
Audit trail
Track obfuscation and clarification actions without storing source code in logs.