CBOR Decode Online — CBOR Bytes to JSON (RFC 8949)

Paste base64 or hex CBOR bytes and inspect the decoded JSON, byte length, and parse time. Float16 / float32 / float64, indefinite-length containers, and CBOR tags supported. 100% client-side.

CBOR Input (hex)

Decoded JSON

Click Decode to convert CBOR bytes back to JSON.

Binary Serialization vs JSON

CBOR (Concise Binary Object Representation) is the IETF's standard binary serialization format — RFC 8949 — used wherever an IETF protocol needs a compact, self-describing wire encoding (COSE, CWT, WebAuthn, OSCORE, EAT, SUIT). This decoder reads the bytes per the spec and emits an equivalent JSON tree you can read.

Decoding CBOR is a routine debugging task whenever you adopt the format: a COSE_Sign1 message, a CWT bearer token, a WebAuthn attestation statement from a YubiKey, an OSCORE-protected CoAP payload, or any cache value written by a service that prefers RFC-blessed encodings. Pasting the bytes here gives you the JSON view in milliseconds without spinning up a Python or Go shell.

How to decode CBOR online — 4 steps

Paste the bytes. Drop the base64 or hex string of a CBOR payload into the input panel above.
Pick the input format. Hex tolerates spaces, 0x prefixes, and any letter case; base64 tolerates whitespace.
Click Decode. The parser walks major types and additional info per RFC 8949 and emits the equivalent JSON. Errors include the byte offset.
Inspect and copy. Review the byte length and parse time. Copy the JSON for further use.

Sample input and output

A 25-byte CBOR payload in hex decodes back to the original three-key object.

# Hex input (25 bytes)
a3 62 69 64 18 2a 64 6e 61 6d 65 65 41 74 6c 61
73 66 6f 6e 6c 69 6e 65 f5

# Decoded JSON
{
  "id": 42,
  "name": "Atlas",
  "online": true
}

RFC 8949 Compliant

Reads major types 0–5 and 7, plus tags (major 6) decoded transparently. Float16, float32, float64, and indefinite-length containers all handled.

Fast Parse

Length-prefixed strings and arrays mean no delimiter scanning or escape handling. Megabyte payloads decode in milliseconds.

Browser-Only

The decoder runs in your tab. CBOR payloads carrying attestation statements, customer records, or COSE-signed claims never reach our servers.

Common use cases

check_circleInspecting COSE_Sign1 / COSE_Mac0 / COSE_Encrypt0 message structures
check_circleDecoding CWT (CBOR Web Token) claims sets per RFC 8392
check_circleReading WebAuthn / FIDO2 attestation statements (packed, fido-u2f, tpm, android-key)
check_circleDebugging OSCORE-protected CoAP payloads and EAT entity attestation tokens
check_circleInspecting cache values stored by services using cbor-x or cbor.js
check_circleReading SUIT (Software Update for IoT) firmware manifests
check_circleDecoding IoT telemetry over Thread, Zigbee, BLE, or LoRaWAN that uses CBOR encoding
check_circleVerifying cross-language interop between embedded C clients and JS / Go / Python servers

JSON vs MessagePack vs CBOR vs Protobuf vs BSON

Format	Schema	Size vs JSON	Self-describing	Best for
JSON	None	100% (baseline)	Yes	Public APIs, configs, logs
MessagePack	None	~50–80%	Yes	IoT, caches, mobile APIs
CBOR (RFC 8949)	None	~50–80%	Yes	COSE/CWT, IETF protocols
Protobuf	Required (.proto)	~20–50%	No	gRPC, internal microservices
BSON	None	~110% (often larger)	Yes	MongoDB storage

Round-trip your data

Re-encode the JSON to CBOR, or compare against the MessagePack pair.

CBOR Encode MessagePack Encode MessagePack Decode

Frequently Asked Questions

What input formats does the decoder accept?

Either base64 (whitespace tolerated) or hex (lowercase, uppercase, spaces, optional 0x prefix). Toggle the format above the input panel. The bytes you supply must be a valid CBOR-encoded value per RFC 8949 — typically what comes out of cbor-x, cbor.js, the Python cbor2 library, or any COSE / CWT serializer.

Does this decoder handle COSE / CWT / WebAuthn payloads?

It decodes the CBOR structure underneath. COSE_Sign1, CWT, and WebAuthn attestation are CBOR-encoded arrays / maps with specific known shapes — pasting the bytes here gives you the raw CBOR view, which you can then interpret semantically. CBOR tags (major type 6) are decoded transparently — the wrapped item is returned and the tag number is dropped.

How are uint64 and int64 outside safe-integer range shown?

JavaScript numbers cannot safely represent values above 2^53 − 1. When a CBOR uint64 or negative-int64 falls outside that range, it is shown as a string tagged "(uint64) 18446744073709551615" or "(int64) -9000000000000000000" so you can see the exact value without silent precision loss.

How are byte strings (major type 2) shown?

CBOR distinguishes binary blobs from UTF-8 text. Because JSON has no native byte type, this decoder represents each byte string as an object {"__bin__": "<base64>"} so the bytes survive a JSON.stringify round-trip without corruption.

Are float16 (half-precision) values supported?

Yes — major 7 / additional info 25 (tag 0xf9) decodes through an inline IEEE 754 half-precision conversion: sign / 5-bit exponent / 10-bit fraction → JS number. CoAP / COSE encoders emit float16 to save bytes when the value fits, and this decoder handles all three width classes (float16, float32, float64).

Does the decoder support indefinite-length containers?

Yes. Indefinite-length text strings, byte strings, arrays, and maps (additional info 31, terminated by 0xff break) are read until the break and concatenated / accumulated. This is the form streaming encoders emit when they do not know the length up front.

What does "Truncated CBOR" mean?

The decoder reached the end of the byte buffer mid-value — typically because the input was clipped during copy/paste, or the wrong base64/hex toggle was used. The error message includes the byte offset where parsing failed. Re-copy the full payload and confirm the format toggle.

Is the data uploaded?

No. Decoding runs entirely in JavaScript inside this tab. CBOR payloads carrying attestation statements, customer records, or proprietary schemas never reach our servers. Open DevTools → Network and click Decode to confirm zero outbound requests.