CBOR (Concise Binary Object Representation) is a binary serialization format defined by RFC 8949 that encodes the same data model as JSON in far fewer bytes. It is the wire format for WebAuthn credential payloads, COSE signed messages, CoAP and a wide range of IoT protocols. This tool takes ordinary JSON and produces the equivalent CBOR as a hex dump and base64 string, so you can build and inspect those payloads by hand.
How it works
Every CBOR item starts with a head byte whose top 3 bits encode the major type and whose low 5 bits encode the additional information:
- Integers (major types
0and1) are written with the smallest head that fits the value — inline for0–23, then 1, 2, 4 or 8 following bytes. - Text strings (major type
3) are UTF-8 encoded with a length prefix. - Arrays (major type
4) and maps (major type5) write their element count, then each item — recursively. true,falseandnullare the single bytes0xf5,0xf4and0xf6, and non-integer numbers are written as an IEEE 754 double after the0xfbhead byte.
The encoder walks your parsed JSON value following exactly these rules, producing definite-length output that any conformant CBOR decoder can read back.
CBOR major type quick reference
| Major type | Bits 7–5 | What it encodes |
|---|---|---|
| 0 | 000 | Unsigned integer |
| 1 | 001 | Negative integer |
| 2 | 010 | Byte string |
| 3 | 011 | Text string (UTF-8) |
| 4 | 100 | Array |
| 5 | 101 | Map (object) |
| 6 | 110 | Tagged item |
| 7 | 111 | Float and simple values (true/false/null) |
JSON only uses types 0, 1, 3, 4, 5, and the float/simple type — which is why this tool can fully round-trip any JSON value.
Example
The JSON {"a":1,"b":[2,3]} encodes to the hex a2 61 61 01 61 62 82 02 03:
a2 map of 2 pairs
61 61 text "a"
01 unsigned int 1
61 62 text "b"
82 02 03 array [2, 3]
That is 9 CBOR bytes versus 17 bytes of JSON text. The tool reports this comparison for any input so you can see the savings, and everything runs locally in your browser.
Where you encounter CBOR in practice
WebAuthn / FIDO2 — browser attestation objects, client data, and authenticator data are all CBOR-encoded. When debugging passkey or hardware key flows, being able to decode CBOR hex to readable JSON is essential.
COSE — the CBOR Object Signing and Encryption standard (RFC 8152) wraps JWS/JWE-equivalent signing and encryption in CBOR. It is used in FIDO2, IoT device attestation, and secure supply-chain formats.
CoAP — the Constrained Application Protocol (RFC 7252) is HTTP for microcontrollers and IoT devices. CoAP payloads are commonly CBOR because embedded devices cannot afford JSON parsing overhead.
IPFS / DAG-CBOR — the IPFS distributed file system uses a CBOR variant called DAG-CBOR for content-addressed data blocks.