JSON to XML

Convert JSON into well-formed, indented XML with a custom root element. Free, in your browser.

JSON

Root element name

Converts JSON to indented XML, in your browser.

Free to use — premium coming soon

FREE

✓ Custom root
✓ Escaped & indented
✓ 100% private

PREMIUM

★ Remove ads
★ Attributes & XML→JSON

About the JSON to XML

JSON to XML takes data written in JavaScript Object Notation and rewrites it as an XML document. The two formats describe the same idea, a tree of named values, but they look different on the page. JSON uses curly braces, square brackets and key-value pairs, while XML wraps every value in opening and closing tags. This tool walks your JSON tree and emits one XML element per key, nesting child elements exactly as the original objects nest. The result is a well-formed document you can drop into a system that speaks XML rather than JSON, without retyping the structure by hand.

Reach for this converter when something downstream still demands XML. SOAP web services, most enterprise message buses, RSS and Atom feeds, sitemaps, Maven and Spring configuration files, Microsoft Office Open XML documents, and many government or banking APIs all expect XML and will reject JSON outright. If you already hold your data as JSON, from a REST call, a database export, or a frontend form, converting is far faster than building the XML from scratch. It is also handy for testing: paste a JSON sample, get XML, and feed it straight into a SOAP request or an XSD validator to see how the two shapes line up.

The conversion follows a few consistent rules. Each object key becomes an element tag and its value becomes the element's text. Nested objects become nested elements. Arrays are the awkward case, since XML has no array type, so each array entry is emitted as a repeated element sharing the same tag, which is exactly how XML normally expresses a list. Numbers, booleans and null lose their JSON types because XML treats everything as text, so 12, true and null all arrive as plain strings unless you add a type attribute. Reserved characters in values such as &, < and > are escaped to &, < and > so the output stays well-formed.

Everything runs in your browser. The JSON you paste is parsed and converted on your own device using client-side JavaScript, so nothing is uploaded, logged, or stored on a server, which matters when the payload contains customer records, API keys, or internal identifiers. One accuracy caveat worth knowing: XML element names cannot begin with a digit or contain spaces, so a key like "123id" or "user name" must be sanitised, typically by prefixing an underscore or replacing spaces. Always validate the output against your target schema, because JSON and XML are not perfectly one-to-one and edge cases like attributes have no native JSON equivalent.

Frequently asked questions

How are JSON arrays converted to XML?

XML has no array type, so each element of a JSON array is written as a repeated element with the same tag name. For example {"item":[1,2,3]} becomes three separate <item> elements, which is the standard way XML represents a list.

What happens to numbers, booleans, and null values?

XML stores everything as text and has no native number, boolean, or null types, so 12, true, and null all appear as plain text inside their elements. If a downstream system needs the original type, conventions like adding a type="number" attribute can preserve it.

Why do some of my keys change in the XML output?

XML element names cannot start with a digit or contain spaces and certain symbols. Keys such as "123id" or "user name" are sanitised, usually by adding a leading underscore or swapping spaces for underscores, so the document stays well-formed.

Can XML attributes be recreated from JSON?

Not automatically, because JSON has no built-in notion of attributes. Many tools use a convention where keys prefixed with @ become attributes and a key like #text holds element text, but plain JSON will normally map every key to a child element instead.

Is my data sent to a server when I convert?

No. The conversion happens entirely in your browser with JavaScript, so the JSON you paste never leaves your device. That makes it safe to use with sensitive payloads such as customer data or credentials.

From our blog

How to Read a JWT: Decoding Tokens to Debug Authentication Problems

By the Super Simple Digital Tools Team · Updated June 2026

When an authentication flow breaks, the token itself is usually the best witness. A JSON Web Token is three Base64URL-encoded sections joined by dots, and decoding the first two gives you a direct look at what the issuing server actually put inside. Instead of adding print statements or digging through server logs, you can paste the token into a decoder and immediately see the algorithm, the claims, and the timestamps. That single step resolves a surprising share of login and API failures, because most of them come down to a value being wrong, missing, or expired.

Start with the header. It is small, typically just two fields: alg, the signing algorithm such as HS256 or RS256, and typ, almost always JWT. The header matters more than it looks. If your backend expects RS256 but the token says HS256, signature verification will fail no matter how correct the payload is. The header is also where algorithm-confusion attacks hide, so confirming alg is the value your system intends is a quick and worthwhile sanity check before you look anywhere else.

The payload is where the answers usually live. Look at sub to confirm the token is about the right user, iss to confirm it came from the issuer you trust, and aud to confirm it was meant for your service rather than another. Then check the timing claims. exp and iat are Unix timestamps in seconds, and a common bug is a token that is technically valid but expired, or one whose nbf (not before) time is still in the future because of clock skew between servers. Comparing exp to the current time explains most premature logouts.

It is worth repeating what a decoder does not do. It never tells you whether a token is authentic, because it does not check the signature. A token whose payload reads perfectly could still be forged, and a decoder will happily display it anyway. Authenticity depends on recomputing the signature with the correct key, and that verification must happen where the key lives: your server or a trusted local tool. Treat decoding as reading the token's claims, and verification as a separate, key-dependent step that no public web page should perform.

Finally, build a habit around privacy. Because the payload is plainly readable, a token is effectively a small unencrypted document containing whatever the issuer chose to include, often user identifiers and scopes. For day-to-day debugging in development, decoding tokens in the browser is convenient and fine. For anything touching production, decode locally or scrub the token down to a harmless example. The goal is to get the diagnostic value of seeing inside the token without ever handing a live credential to a page you do not fully trust.

Always check the alg field in the header first; a mismatch with what your backend expects is a frequent cause of failed verification.
Convert exp and iat from Unix seconds to a real date and compare exp against the current time to diagnose 'why did my session end early' bugs.
If a token is rejected despite looking valid, check nbf and account for clock skew between the issuing and validating servers.
Never decode a live production token in a tool you don't control; replace real values with dummy data, or decode it on your own machine.

Read the full guide →

Tool by the Super Simple Digital Tools Team. Reviewed by our editorial team. Free to use, no signup required.