JSON Canonicalizer

How to use

1. 1Paste a JSON value (object, array, or any scalar) into the input. The five sample buttons demonstrate key reordering, number normalization, Unicode keys, signed-webhook style payloads, and control character escaping.
2. 2Read the Canonical JSON output: it is the exact byte sequence RFC 8785 produces for your input. Copy it for use with a signing library.
3. 3Use the SHA-256 of the canonical UTF-8 bytes when you need to HMAC, fingerprint, or sign the document. Two semantically equal documents always produce the same hash.
4. 4Open the rewrites panel to see what changed: which keys were reordered, which numbers were re-rendered with ECMA-262 ToString, and which strings were re-escaped under the minimal RFC 8785 escape set.
5. 5Switch to Compare two and paste a second document to verify that a payload re-serialized elsewhere still canonicalizes to the same bytes and the same SHA-256. The status pill shows equal or not equal at a glance.

About this tool

JSON Canonicalizer produces the single deterministic byte sequence that the IETF JSON Canonicalization Scheme (RFC 8785, March 2020) defines for any JSON value. The output is intended as the exact bytes you feed into a signing or hashing function, so two producers that emit semantically equal JSON always agree on the bytes they sign. The implementation follows the four RFC 8785 rules: object members are emitted in ascending order by UTF-16 code unit (the same ordering as a default JavaScript string sort, applied recursively to every nested object); numeric values are emitted using the ECMA-262 Number-to-String algorithm so 1e3 becomes 1000, 1.0 becomes 1, 100.0 becomes 100, -0 becomes 0, and NaN/Infinity are rejected (JSON does not allow them anyway); strings use the minimal RFC 8259 escape set, namely the six named escapes for double quote, backslash, backspace, form feed, line feed, carriage return, and tab, plus the six-character \u00XX form for the remaining control characters U+0000 to U+001F, while every other code point (including non-ASCII like CJK ideographs, accented Latin, and emoji surrogate pairs) is emitted verbatim and ends up as its UTF-8 bytes in the byte output; and no whitespace is emitted between tokens. Once the canonical string is built it is encoded as UTF-8, the byte count is shown, and a SHA-256 of those bytes is computed via the browser SubtleCrypto API. That SHA-256 is the value you would HMAC for a webhook proof or sign with an Ed25519 / ECDSA key for content-addressed storage, Sigstore-style attestations, Verifiable Credentials Data Integrity proofs, or JOSE/COSE detached signatures. A Compare two mode canonicalizes a pair of documents side by side and reports whether the canonical bytes match, which is the fastest way to confirm that a payload re-serialized by another library is still byte-identical for signing. An audit panel highlights every rewrite the canonicalizer applied: keys reordered, number literals normalized, strings re-escaped, so you can teach the difference between a casual JSON dump and a canonical one without leaving the page. All work runs in the browser; no input is uploaded.

Free to use. Works in your browser. No signup, no login.