Paper
Native plugin.yml support
Enterprise-Grade Protection · v2.0
Protect Your Java JARs
Without Breaking Them.
Advanced obfuscation built for Minecraft plugins and premium software. Zero performance impact, absolute security. Runs 100% on your machine.
Trusted by Engineering Teams
PaperMC
Velocity
Hypixel
Mojang Studios
CurseForge
Modrinth
9
Profiles
16
Pass Pipeline
AES-256
String Encryption
0
Files Uploaded
See What Gets Protected
core-plugin-v2.4.jar
Completed in 4.2s · paper-safe profile
94%
Protection Score
Original Size
2.4 MB
Output Size
2.8 MB +16%
Classes Renamed
847
Strings Encrypted
1,204
Applied Passes
flow-obfuscation
string-encryption
class-renaming
method-renaming
field-renaming
opaque-predicates
integer-encryption
+9 more
Built for Engineering Velocity
Integrate ShieldX directly into your workflow. Protect JARs from your terminal or web dashboard — no server dependency, no upload.
- Fully offline — engine runs locally on your machine
- Interactive panel — menu-driven terminal UI, no browser needed
- Web dashboard at localhost — full UI in your browser
- Mapping file per job — deobfuscate stack traces in production
- Zero telemetry — no analytics, no pings, no cloud dependency
$ shieldx protect ./plugin.jar \
--profile paper-safe \
--output dist/
[info] Analyzing artifact...
[info] Smart Safe: excluded 12 classes
[info] Applying 16 passes...
[info] Repackaging output JAR...
[success] Saved to dist/plugin.protected.jar (1.2s)
Built for the Ecosystems You Use
Smart Safe Mode reads each platform's manifest and auto-excludes critical classes. No manual config needed.
Spigot
Full backwards compatibility
Velocity
Proxy network ready
BungeeCord
Legacy proxy support
Fabric
Mixin-aware, mod ecosystem safe
Forge
Heavy modpack compatible
Java App
Standard JAR protection
Spring Boot
Reflection-safe enterprise
Everything You Need to Protect
Your Intellectual Property
Production-grade obfuscation that runs entirely on your infrastructure — no trust required.
AES-256 String Encryption
Every string literal in your bytecode is encrypted with AES-256 and per-class keys. Strings are decrypted lazily at the call site — zero overhead, maximum protection.
Control Flow Obfuscation
Rewrites your bytecode into an irreducible control flow graph that defeats Procyon, CFR, Fernflower, and every major Java decompiler.
Smart Safe Mode
Reads plugin.yml, fabric.mod.json, velocity-plugin.json, and other manifests to auto-exclude entrypoints, listeners, commands, and API surfaces from renaming.
16-Pass Transformation Pipeline
Sixteen stacked bytecode transformations applied in a single obfuscation run — class renaming, method renaming, opaque predicates, integer encryption, and more.
Zero Performance Impact
Obfuscation happens at build time. Your protected JAR runs at the same speed as the original — the JVM sees optimized bytecode, not interpreted overhead.
9 Production Profiles
Profiles tuned for Paper, Spigot, Fabric, Forge, Velocity, BungeeCord, Spring Boot, shared libraries, and maximum-aggression standalone apps.
From Install to Protected JAR in Seconds
Step 01
Install
One curl command. Installer detects your OS, sets up Node.js, and puts shieldx in your PATH.
Step 02
Protect
Choose a profile. The engine runs 16 transformations while Smart Safe Mode preserves every manifest-referenced API surface.
Step 03
Ship
Download the protected artifact. All files stay in ~/.config/shieldx/ — zero cloud retention.
Every Protection Method, In One Pipeline
Sixteen production-grade bytecode transformations grouped into four domains.
Naming
Class Renaming
Rewrites class identifiers to opaque tokens. Auto-excludes plugin entrypoints, mixins, and reflection targets.
Method Renaming
Mangles method names while preserving public API surfaces, event handlers, and Bukkit listeners.
Field Renaming
Renames internal fields to unprintable identifiers. JPA columns and Spring beans stay intact.
Package Remapping
Flattens or rewrites package paths to break IDE navigation and frustrate decompiler heuristics.
Strings & Data
AES String Encryption
AES-256 encrypts every string literal with per-class keys. Decrypted lazily at the call site.
Memory-Safe Strings
Strings live as char arrays cleared after use, defeating heap dumps and memory scrapers.
Enhanced Encryption
Multi-layer XOR + AES with runtime-derived keys tied to JVM identity for sandbox resistance.
Integer Encryption
Replaces numeric constants with arithmetic expressions that resolve at runtime. No traceable magic numbers.
Control Flow
Flow Obfuscation
Rewrites control flow as an irreducible graph that defeats Procyon, CFR, and Fernflower.
Opaque Predicates
Injects always-true conditions referencing computed state to mislead static analyzers.
Arithmetic Transformer
Rewrites simple ops as equivalent algebraic identities to obscure intent and confuse decompilers.
Switch → If Conversion
Lowers tableswitch/lookupswitch into chained conditionals with synthetic dispatch keys.
If Trapping
Converts conditional branches into exception-driven jumps that confuse decompiler IR.
Cleanup & Hardening
Dead Code Removal
Strips unreachable instructions, debug attributes, source filenames, and synthetic bridges.
Useless Try/Catch
Wraps real logic in synthetic exception handlers that propagate as no-ops at runtime.
Aggressive Profile
Composes every transformation simultaneously. Recommended only for fully self-contained applications.
Integrity Watermark
Embeds a cryptographic fingerprint in META-INF to prove the JAR passed through the ShieldX engine.
One Command to Get Started
Installer handles Node.js automatically. Works on macOS, Linux, and Windows. Fully offline after install.
sh
Requires a terminal. Installs Node.js automatically via nvm if not found.
ps1
Run PowerShell as Administrator. Installs Node.js via winget if not found.
npm
Requires Node.js 18+. Available on npm: npmjs.com/package/shieldx-cli
Every Command You Need
Full CLI — from one-liner obfuscation to full web dashboard and interactive panel.
shieldx panelInteractive Panel
Menu-driven TUI — upload, pick profile, obfuscate, download. No browser, no account, fully offline.
shieldx panel # menu UI
shieldx p # alias
shieldx obfuscateOne-liner
Protect any JAR from the terminal. Output saved next to the input file.
shieldx obfuscate Plugin.jar
shieldx obfuscate Plugin.jar --profile paper
shieldx obfuscate App.jar --verbose
shieldx o Mod.jar -o dist/
shieldx serveWeb Dashboard
Launch the full web UI at localhost. Upload JARs, view scores, download output — all local.
shieldx serve # start :3001
shieldx serve --build # build first
shieldx serve --port 8080
shieldx serve --no-open
shieldx jobsJob History
List, inspect, and delete local job history stored in ~/.config/shieldx/.
shieldx jobs # list all
shieldx job <id> # detail
shieldx jobs delete <id>
shieldx jobs list --limit 20
shieldx doctorHealth Check
System diagnostics — Node version, local storage stats, disk usage, optional server ping.
shieldx doctor
shieldx check # alias
shieldx configConfiguration
View and set CLI config — default profile, output directory, server URL, auto-open, and more.
shieldx config show
shieldx config set defaultProfile paper
shieldx config set outputDir ./dist
shieldx config reset
9 Profiles, Every Platform Covered
Smart Safe Mode reads your manifest and auto-excludes critical classes — so your plugin loads correctly every time.
paper-safe★ Recommended
Paper / Spigot Plugins
Reads plugin.yml. Excludes main class, commands, and listeners from renaming. Safe on all Paper 1.8–1.21+ servers.
fabric-safe
Fabric Mods
Reads fabric.mod.json. Preserves mixin targets and entrypoints. Compatible with Fabric Loader 0.14+.
forge-safe
Forge / NeoForge Mods
Preserves @Mod annotations, event bus subscribers, and capability handlers. Works with Forge 36+ and NeoForge.
velocity-safe
Velocity Proxy Plugins
Reads velocity-plugin.json. Preserves @Plugin classes and event subscribers for Velocity 3.x.
bungee-safe
BungeeCord Plugins
Reads bungee.yml. Excludes main class, listener registrations, and command executors from renaming.
library-safe
Shared Libraries
Preserves your public API surface — public classes, methods, and fields keep their names. Internal code is fully obfuscated.
enterprise-safe
Enterprise Java Apps
Balanced protection for production Java applications. Heavy string encryption and flow obfuscation with reflection-safety.
smart-safe
Auto-detect (Smart)
Reads all known manifests and auto-picks the safest settings. Best starting point when you're unsure which profile to use.
aggressiveMAX
Maximum Obfuscation
All transforms enabled simultaneously. Highest possible protection score. May break reflection-heavy code — test before shipping.
Your Files Never Leave Your Machine.
No telemetry, no upload, no cloud dependency of any kind. Every byte of your code stays on your own hardware.
- All processing happens locally — never sent to our servers
- No telemetry, no usage analytics, no crash reporting
-
Output stored in
~/.config/shieldx/— fully under your control - Air-gap compatible — works without any internet connection
~/.config/shieldx/
~/.config/shieldx/
├── config.json # CLI config
└── jobs/
├── <jobId>/
│ ├── input.jar # original
│ ├── output.jar # protected
│ ├── mapping.txt # deobfuscation map
│ └── report.json # job metadata
Frequently Asked Questions
Everything you need to know about ShieldX before getting started.
Does ShieldX upload my JAR files to a server?
No. ShieldX runs 100% locally on your machine. Your JAR files are never uploaded to any cloud or external server. All processing happens on your own hardware, including the obfuscation engine, all transformations, and file output.
Will ShieldX break my Minecraft plugin?
No — when you use the correct profile. Smart Safe Mode reads your plugin.yml, fabric.mod.json, or velocity-plugin.json and automatically excludes entrypoints, listeners, commands, mixins, and API surfaces from renaming. Your plugin will load and run correctly every time.
Which Java frameworks and platforms does ShieldX support?
ShieldX natively supports Paper, Spigot, Velocity, BungeeCord, Fabric, Forge/NeoForge, Spring Boot, shared libraries, and standard Java applications. It reads each platform's manifest file to auto-configure protection rules automatically.
What obfuscation techniques does ShieldX use?
ShieldX applies a 16-pass pipeline including: AES-256 string encryption, control flow obfuscation, class/method/field renaming, opaque predicates, arithmetic transformation, integer encryption, memory-safe strings, dead code removal, package remapping, if-trapping, switch-to-if conversion, and more.
Does obfuscation slow down my JAR at runtime?
No. Obfuscation happens at build time. The JVM executes the same bytecode instructions — just with different names and structures. There is zero runtime performance overhead. String decryption is done lazily at the call site, adding nanoseconds of overhead at most.
Can I deobfuscate my own stack traces after shipping?
Yes. ShieldX generates a mapping.txt file for every job, stored in ~/.config/shieldx/jobs/<jobId>/. You can use this file to deobfuscate stack traces back to readable class and method names in production logs.
Start Protecting Your Code Today
One command. No account. No upload. Your JARs stay on your machine — always.