TurnWarden Extension privacy

The TurnWarden Extension does not send your data to TurnWarden's servers. Anything the Extension reads from your browser stays in your browser.

What the extension does

• Reads the active D&D Beyond Monster page only when you click the toolbar icon.
• Tries Monster Lookupfirst: asks D&D Beyond's own monster service API for the Monster on the current page and converts the response into JSON locally, in your browser.
• Falls back to Stat Block Scrape: if Monster Lookup is unavailable, parses the page's stat block into JSON locally, in your browser.
• Places the JSON on your clipboard or offers it as a file download.

What the extension does not do

• No data is sent to TurnWarden's servers.
• No TurnWarden account is required to use the Extension.
• No analytics, telemetry, or tracking of any kind.
• No remote code is executed; all logic ships in the extension package.
• The D&D Beyond page is not modified.

D&D Beyond session cookie

When you click the toolbar icon on a Monster page, the Extension reads your CobaltSession cookie on .dndbeyond.com. That cookie is the proof you're signed in to D&D Beyond, and the Extension uses it to ask D&D Beyond for the Monster's data on your behalf via Monster Lookup.

The cookie value is read locally by your browser and used only to request a short-lived bearer token from D&D Beyond's auth service. The cookie value is never sent to TurnWarden's servers and never stored anywhere outside your browser.

The bearer token is cached only in your browser's session storage and is discarded automatically when you close the browser. The Extension only reads the cookie; it never modifies, sets, or deletes it.

If you're not signed in to D&D Beyond, the Extension silently uses Stat Block Scrape instead — the cookies permission is never exercised in that case.

Permissions

The extension declares the following permissions:

• activeTab— read the currently-open D&D Beyond tab at the moment you click the icon.
• cookies — read the CobaltSession cookie on .dndbeyond.com to authenticate to D&D Beyond on your behalf for Monster Lookup (see above).
• storage— cache the short-lived bearer token in session storage so the Extension doesn't re-authenticate on every Import.

The host_permissions match registers the content-script and authenticated fetches only on D&D Beyond hosts:

• https://www.dndbeyond.com/* — Monster pages (content-script and Stat Block Scrape)
• https://auth-service.dndbeyond.com/* — bearer-token exchange for Monster Lookup
• https://monster-service.dndbeyond.com/* — Monster Lookup itself

Last updated: 2026-05-28.