Developer & Privacy Guide

JSON Formatting Tools: Privacy Risks and Safe Practices

Q: Why do JSON APIs often contain sensitive data?

JSON is the dominant data format for REST APIs, and API responses frequently include more data than the client needs — a pattern called over-fetching. User objects may include email, phone, address, date of birth, and internal IDs even when only a username is displayed. This makes JSON payloads a common source of inadvertent PII exposure.

Q: What is a JWT and how do I decode it?

A JWT (JSON Web Token) is a Base64URL-encoded JSON object used for authentication and authorisation. It has three parts: a header (algorithm), a payload (claims), and a signature. The payload is not encrypted — it is only Base64-encoded — so anyone can decode it. Use a JWT decoder to inspect the claims without a secret key.

Q: How can I find PII in a JSON payload?

Paste the JSON as text into the PII Pattern Detector tool. It will scan for emails, phone numbers, SSNs, IBANs, IP addresses, credit card numbers, and other PII patterns, highlighting each match by category. You can also use the Regex Privacy Pattern Tester to write custom detection patterns for domain-specific PII.

Q: Is it safe to format JSON in an online tool?

Only if the tool runs entirely in your browser with no server upload. Formatting JSON containing production credentials, API keys, or customer PII in an online tool that sends data to a server is a significant security risk. Always use client-side-only tools for sensitive JSON data.

JSON is the universal data format of the web — and one of the most common carriers of accidentally exposed personal data. This guide covers the privacy risks in JSON payloads, how to detect sensitive data, and how to safely work with JWT tokens and API responses.

JSON and Privacy: An Overlooked Risk

JSON (JavaScript Object Notation) is the dominant format for REST API communication, configuration files, data exports, and web application state. Its human-readable structure makes it easy to work with, but this readability also means that any sensitive data embedded in a JSON payload is immediately visible to anyone who intercepts or gains access to the data.

The privacy risks in JSON manifest in several common scenarios: API responses that include more user data than necessary (over-fetching), configuration files committed to version control containing credentials, debug logs that capture full API payloads including authentication tokens, and data exports for analytics that carry unredacted PII.

Understanding these risks — and knowing how to detect and remediate them — is an essential skill for any developer or data engineer working with modern APIs and web applications.

Privacy Risks in API JSON Responses

REST APIs designed around resource-oriented architecture often return entire objects when only a portion of the data is needed. A GET /user/123 endpoint might return a JSON object with 40 fields including email, phone, physical address, date of birth, payment method last four digits, and internal system IDs — even when the calling application only displays the username and avatar.

This over-fetching pattern creates several risks: the data is transmitted unnecessarily, it may be logged by intermediate proxies or analytics tools, it may be cached in local storage or browser history, and it increases the blast radius of any client-side compromise.

When auditing a JSON payload for sensitive data, paste it into our PII Pattern Detector for instant colour-coded annotation of all detected personal information, or use the Sensitive Data Scanner for a detailed line-by-line report with severity ratings.

JWT Tokens: Decoded JSON in Your Auth Headers

JWT (JSON Web Token) is one of the most widely used authentication formats on the web. A JWT consists of three Base64URL-encoded segments separated by dots. The second segment — the payload — contains a JSON object with "claims": structured data about the authenticated user and the token itself.

A critical and frequently misunderstood property of JWT: the payload is not encrypted. It is Base64URL-encoded, which is trivially reversible. Anyone who obtains a JWT can decode and read its payload without any key. JWTs should never contain sensitive personal data like full email addresses, passwords, social security numbers, or private business logic — only the minimum claims required for authorization decisions.

Use our JWT Decoder to inspect any JWT token. It decodes all three segments, explains each claim in plain English, shows expiry status in real time, and flags algorithm security issues — for example, the dangerous alg: none pattern that bypasses signature verification entirely.

Decode a JWT Token →

Credentials in JSON Configuration Files

Configuration files in JSON format — package.json, .env.json, config.json, cloud provider configuration files — are a chronic source of credential leakage. Developers frequently commit API keys, database passwords, private keys, and authentication tokens directly into JSON config files, which then get pushed to version control repositories and exposed publicly.

Before committing any JSON file to a repository or sharing it with a colleague, scan it for sensitive patterns. Common culprits include AWS access keys (starting with AKIA), PEM private key headers, database connection strings containing passwords, and generic api_key or secret fields.

Our Regex Privacy Pattern Tester includes a built-in library of 19 PII and credential detection patterns — including AWS keys, PEM private keys, and generic API key patterns — which you can test against any JSON content with inline match highlighting.

Safe JSON Formatting Practices

Use client-side-only formatters for sensitive JSON. Any JSON formatter that uploads your data to a server creates a risk when the JSON contains credentials or PII. Verify that the tool's network tab shows no outbound data.
Scan before sharing. Before sending a JSON payload to a colleague, posting in a bug report, or logging for debugging, scan it for sensitive patterns using the PII Pattern Detector.
Decode JWTs before trusting them. Use our JWT Decoder to inspect what claims are actually present and check that the algorithm is not set to none.
Apply URL encoding when embedding JSON in URLs. Use our URL Encoder to safely encode JSON strings for use in query parameters.
Parse cookies alongside JSON responses. Modern SPAs store session state in both JWT cookies and local storage. Use our Cookie String Decoder to inspect cookie security attributes alongside your JSON data audit.

Frequently Asked Questions

Why do JSON APIs often contain sensitive data?

REST APIs commonly return complete resource objects even when only a subset of fields is needed. User objects may include email, phone, address, and internal IDs even when only a username is displayed, creating inadvertent PII exposure in API responses.

What is a JWT and how do I decode it?

A JWT is a Base64URL-encoded JSON object used for authentication. The payload is not encrypted — anyone can decode it without a key. Use our JWT Decoder to inspect all claims, check expiry, and verify algorithm security.

How can I find PII in a JSON payload?

Paste the JSON text into the PII Pattern Detector for colour-coded detection, or use the Regex Privacy Tester with the built-in credential detection patterns.

Is it safe to format JSON in an online tool?

Only if the tool runs entirely in your browser. Formatting JSON containing credentials or customer PII in a server-side tool is a significant security risk. Always use client-side-only tools and verify with the browser Network tab.