DEV Community: Tahmid The latest articles on DEV Community by Tahmid (@pioneer10). https://dev.to/pioneer10 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3886334%2Fa4efc629-8897-42e4-8973-bdfdaa5a25b5.png DEV Community: Tahmid https://dev.to/pioneer10 en Why Your JSON Keeps Breaking (And How to Fix It Fast) Tahmid Sat, 18 Apr 2026 21:48:08 +0000 https://dev.to/pioneer10/why-your-json-keeps-breaking-and-how-to-fix-it-fast-2lej https://dev.to/pioneer10/why-your-json-keeps-breaking-and-how-to-fix-it-fast-2lej <p>You paste a JSON config into your app and hit <code>SyntaxError: Unexpected token</code>. You scan 60 lines of curly braces, counting quotes by eye. Five minutes later you spot it — a trailing comma on line 47. Sound familiar?</p> <p>JSON is ruthlessly strict. No trailing commas. No comments. No single quotes. No unquoted keys. Even one character out of place produces a completely opaque error message that points you to the wrong line half the time. This post covers the four JSON mistakes that cause 90% of parse failures, how to spot them instantly, and how to stop wasting time on them.</p> <h2> The Four Most Common JSON Errors </h2> <h3> 1. Trailing Commas </h3> <p>This is the most frequent offender, especially if your JSON was hand-written or copied from a JavaScript object literal.</p> <p><strong>Broken:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"active"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Fixed:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"active"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The trailing comma after <code>true</code> is valid JavaScript but illegal JSON. Most parsers point you to the closing brace, not the offending comma, which sends you hunting in the wrong direction.</p> <h3> 2. Single Quotes Instead of Double Quotes </h3> <p>Developers who spend most of their time in JavaScript or Python often reach for single quotes out of habit.</p> <p><strong>Broken:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">'username':</span><span class="w"> </span><span class="err">'bob'</span><span class="p">,</span><span class="w"> </span><span class="err">'permissions':</span><span class="w"> </span><span class="p">[</span><span class="err">'read'</span><span class="p">,</span><span class="w"> </span><span class="err">'write'</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Fixed:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bob"</span><span class="p">,</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"write"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The JSON specification (RFC 8259) is explicit: strings must use double quotes. Single quotes are not valid, period.</p> <h3> 3. Comments Embedded in JSON </h3> <p>If you copied a config from documentation or a README, it may include comments added for human clarity. JSON does not support comments.</p> <p><strong>Broken:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">database</span><span class="w"> </span><span class="err">settings</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"localhost"</span><span class="p">,</span><span class="w"> </span><span class="nl">"port"</span><span class="p">:</span><span class="w"> </span><span class="mi">5432</span><span class="p">,</span><span class="w"> </span><span class="err">/*</span><span class="w"> </span><span class="err">default</span><span class="w"> </span><span class="err">postgres</span><span class="w"> </span><span class="err">port</span><span class="w"> </span><span class="err">*/</span><span class="w"> </span><span class="nl">"database"</span><span class="p">:</span><span class="w"> </span><span class="s2">"myapp"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Fixed:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"localhost"</span><span class="p">,</span><span class="w"> </span><span class="nl">"port"</span><span class="p">:</span><span class="w"> </span><span class="mi">5432</span><span class="p">,</span><span class="w"> </span><span class="nl">"database"</span><span class="p">:</span><span class="w"> </span><span class="s2">"myapp"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Strip every <code>//</code> line comment and every <code>/* */</code> block comment before parsing. If you need to annotate your configs, consider YAML or TOML — or adopt a <code>_comment</code> key as a convention.</p> <h3> 4. JavaScript-Only Values </h3> <p><code>undefined</code>, <code>NaN</code>, and <code>Infinity</code> are valid JavaScript but completely foreign to JSON. Only <code>null</code>, <code>true</code>, <code>false</code>, numbers, strings, arrays, and objects are allowed.</p> <p><strong>Broken:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="err">NaN</span><span class="p">,</span><span class="w"> </span><span class="nl">"result"</span><span class="p">:</span><span class="w"> </span><span class="err">undefined</span><span class="p">,</span><span class="w"> </span><span class="nl">"ratio"</span><span class="p">:</span><span class="w"> </span><span class="err">Infinity</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Fixed:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"result"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"ratio"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>These typically appear when serializing JavaScript objects that contain these special values — a common trap when using <code>JSON.stringify()</code> without a replacer function.</p> <h2> Stop Hunting for Errors by Eye </h2> <p>Reading JSON manually for syntax errors is a poor use of your attention. Paste your broken JSON into the <a href="https://jsonindenter.com/?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=why-your-json-keeps-breaking" rel="noopener noreferrer">JSON Formatter &amp; Validator</a> at jsonindenter.com and it will immediately highlight exactly which line is wrong and why. It also re-indents the output so that nested structures become readable at a glance — a lifesaver when someone hands you a 2KB single-line blob.</p> <p>The validator catches all four of the errors described above and gives you a plain-English error message rather than the cryptic column-number output your runtime throws.</p> <h2> Comparing Two JSON Responses </h2> <p>Another common scenario: you have two versions of a JSON response — one from staging, one from production — and something is different but you can't tell what. Diffing them by eye across two editor tabs is tedious and error-prone.</p> <p>The <a href="https://jsonindenter.com/json-diff?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=why-your-json-keeps-breaking" rel="noopener noreferrer">JSON Diff tool</a> does a structural comparison of two JSON documents and highlights exactly which keys were added, removed, or changed in value. Because it understands JSON structure, it doesn't get confused by whitespace changes or key reordering — it shows you only what actually changed semantically.</p> <h2> Minifying for Production </h2> <p>Once your JSON is clean and validated, you may want to strip all whitespace before embedding it in a build artifact or sending it over the wire. The <a href="https://jsonindenter.com/json-minifier?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=why-your-json-keeps-breaking" rel="noopener noreferrer">JSON Minifier</a> removes all unnecessary whitespace in one click. For a 500-line formatted config file, the minified output is typically 3–5× smaller by byte count — a meaningful difference in payload-sensitive contexts like mobile APIs or edge functions.</p> <h2> A Practical Debugging Workflow </h2> <p>When JSON breaks in a project, this three-step process gets me to a fix in under two minutes:</p> <ol> <li>Paste into the formatter — it shows the exact error location and corrects indentation so the structure is visible</li> <li>Fix the flagged issue and validate again until the document is clean</li> <li>If the JSON parses successfully but behavior is still wrong, use the diff tool to compare against the last known-good version line by line</li> </ol> <p>This replaces what used to be ten minutes of manual scanning and guessing.</p> <h2> The Bigger Picture </h2> <p>Most JSON headaches come from the same handful of mistakes, and almost all of them come from editing JSON by hand or copying it from contexts that allow looser syntax — JavaScript objects, Python dicts, config files with comments. The fix isn't memorizing the spec; it's building a habit of running JSON through a validator before it ever reaches your parser.</p> <p>What's your most painful "I spent an hour on a trailing comma" story? Drop it in the comments — I know I'm not the only one who's been there.</p> <p><em>Free tools used in this post:</em></p> <ul> <li> <a href="https://jsonindenter.com/?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=why-your-json-keeps-breaking" rel="noopener noreferrer">JSON Formatter &amp; Validator</a> — paste broken JSON and get instant error highlighting with clean re-indentation</li> <li> <a href="https://jsonindenter.com/json-diff?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=why-your-json-keeps-breaking" rel="noopener noreferrer">JSON Diff</a> — structural comparison of two JSON documents, shows exactly what changed semantically</li> <li> <a href="https://jsonindenter.com/json-minifier?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=why-your-json-keeps-breaking" rel="noopener noreferrer">JSON Minifier</a> — strips all whitespace from JSON for smaller payloads</li> <li> <a href="https://jsonindenter.com/all-json-tools?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=why-your-json-keeps-breaking" rel="noopener noreferrer">All tools</a> — client-side, no sign-up, nothing leaves your browser</li> </ul> javascript webdev tutorial beginners How to Compare Two JSON Objects and Spot the Differences Instantly Tahmid Sat, 18 Apr 2026 21:47:55 +0000 https://dev.to/pioneer10/how-to-compare-two-json-objects-and-spot-the-differences-instantly-1b4j https://dev.to/pioneer10/how-to-compare-two-json-objects-and-spot-the-differences-instantly-1b4j <p>You're two hours into debugging a production issue. Your API contract says the response should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">42</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"active"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"write"</span><span class="p">,</span><span class="w"> </span><span class="s2">"delete"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>But something downstream is breaking. You log the actual response and squint at it. It <em>looks</em> the same. Roughly. But your authorization middleware just denied an admin user.</p> <p>That's when you notice: <code>"role"</code> is missing. Or it became <code>"roles"</code>. Or <code>"active"</code> is now the string <code>"true"</code> instead of a boolean. Bugs like this are trivially small and brutally hard to spot in a wall of JSON text — especially when the payload is minified or poorly indented.</p> <p>Here's a practical workflow for comparing two JSON objects and catching differences before they catch you.</p> <h2> Step 1: Format both objects identically </h2> <p>Comparing minified JSON visually is a waste of time. If your two blobs have different indentation, trailing whitespace, or inconsistent key ordering, even a side-by-side diff tool will light up with false positives.</p> <p>Before anything else, run both objects through a formatter. Paste each one into <a href="https://jsonindenter.com/?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=json-diff-compare-objects" rel="noopener noreferrer">JSON Indenter</a> and make sure you're comparing apples to apples: same indentation style, same structure, same readability.</p> <p><strong>Before (minified):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"user"</span><span class="p">:{</span><span class="nl">"id"</span><span class="p">:</span><span class="mi">42</span><span class="p">,</span><span class="nl">"name"</span><span class="p">:</span><span class="s2">"Alice"</span><span class="p">,</span><span class="nl">"role"</span><span class="p">:</span><span class="s2">"admin"</span><span class="p">,</span><span class="nl">"active"</span><span class="p">:</span><span class="kc">true</span><span class="p">},</span><span class="nl">"permissions"</span><span class="p">:[</span><span class="s2">"read"</span><span class="p">,</span><span class="s2">"write"</span><span class="p">,</span><span class="s2">"delete"</span><span class="p">]}</span><span class="w"> </span></code></pre> </div> <p><strong>After (formatted):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">42</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"active"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"write"</span><span class="p">,</span><span class="w"> </span><span class="s2">"delete"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now you can actually read it. This single step eliminates a whole class of "differences" that are really just formatting noise.</p> <h2> Step 2: Validate before you compare </h2> <p>If either object has a syntax error, your diff will give you nonsense. A stray trailing comma, an unquoted key, or a missing bracket will corrupt the comparison before it starts.</p> <p>Run both objects through the <a href="https://jsonindenter.com/validator?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=json-diff-compare-objects" rel="noopener noreferrer">JSON Validator</a> before proceeding. It surfaces syntax errors with exact line numbers, so you fix the structure first and compare content second.</p> <p>This matters more than you'd think. Many JSON objects in the wild come from sources that produce <em>technically invalid</em> JSON — config files with comments, legacy APIs with trailing commas, log entries with prepended timestamps. Validate early.</p> <h2> Step 3: Compare programmatically when you need precision </h2> <p>For automated tests or CI pipelines, visual comparison doesn't scale. Here's where programmatic diffing becomes essential.</p> <p><strong>The naive approach — and why it fails:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">a</span> <span class="o">=</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">42</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Alice</span><span class="dl">"</span> <span class="p">}</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">b</span> <span class="o">=</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Alice</span><span class="dl">"</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="mi">42</span> <span class="p">}</span> <span class="p">};</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="o">===</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">b</span><span class="p">));</span> <span class="c1">// false — key order matters for string comparison, not for JSON semantics</span> </code></pre> </div> <p><code>JSON.stringify</code> is order-sensitive. Two objects that are semantically identical can produce different strings if their keys were inserted in a different order.</p> <p><strong>A better approach — recursive diff with specific output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">jsonDiff</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">,</span> <span class="nx">path</span> <span class="o">=</span> <span class="dl">""</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">diffs</span> <span class="o">=</span> <span class="p">[];</span> <span class="kd">const</span> <span class="nx">allKeys</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([...</span><span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">a</span><span class="p">),</span> <span class="p">...</span><span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">b</span><span class="p">)]);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">key</span> <span class="k">of</span> <span class="nx">allKeys</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fullPath</span> <span class="o">=</span> <span class="nx">path</span> <span class="p">?</span> <span class="s2">`</span><span class="p">${</span><span class="nx">path</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span> <span class="p">:</span> <span class="nx">key</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="nx">key</span> <span class="k">in</span> <span class="nx">a</span><span class="p">))</span> <span class="p">{</span> <span class="nx">diffs</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="s2">`ADDED: </span><span class="p">${</span><span class="nx">fullPath</span><span class="p">}</span><span class="s2"> = </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">b</span><span class="p">[</span><span class="nx">key</span><span class="p">])}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="nx">key</span> <span class="k">in</span> <span class="nx">b</span><span class="p">))</span> <span class="p">{</span> <span class="nx">diffs</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="s2">`REMOVED: </span><span class="p">${</span><span class="nx">fullPath</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">a</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">object</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="nx">a</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">!==</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="k">typeof</span> <span class="nx">b</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">object</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="nx">b</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nx">diffs</span><span class="p">.</span><span class="nf">push</span><span class="p">(...</span><span class="nf">jsonDiff</span><span class="p">(</span><span class="nx">a</span><span class="p">[</span><span class="nx">key</span><span class="p">],</span> <span class="nx">b</span><span class="p">[</span><span class="nx">key</span><span class="p">],</span> <span class="nx">fullPath</span><span class="p">));</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">a</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">!==</span> <span class="nx">b</span><span class="p">[</span><span class="nx">key</span><span class="p">])</span> <span class="p">{</span> <span class="nx">diffs</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="s2">`CHANGED: </span><span class="p">${</span><span class="nx">fullPath</span><span class="p">}</span><span class="s2">: </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">a</span><span class="p">[</span><span class="nx">key</span><span class="p">])}</span><span class="s2"> → </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">b</span><span class="p">[</span><span class="nx">key</span><span class="p">])}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">diffs</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">jsonDiff</span><span class="p">(</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">42</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Alice</span><span class="dl">"</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span> <span class="p">},</span> <span class="na">active</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">42</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Alice</span><span class="dl">"</span> <span class="p">},</span> <span class="na">active</span><span class="p">:</span> <span class="dl">"</span><span class="s2">true</span><span class="dl">"</span> <span class="p">}</span> <span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">result</span><span class="p">);</span> <span class="c1">// ["REMOVED: user.role", "CHANGED: active: true → \"true\""]</span> </code></pre> </div> <p>This is far more useful than a raw boolean — you get the exact path and the exact values that changed.</p> <h2> Where types silently bite you </h2> <p>The most dangerous JSON diffs aren't missing keys — they're type changes. A value going from <code>true</code> (boolean) to <code>"true"</code> (string) looks identical in most log outputs but behaves completely differently in application logic.</p> <p>Your comparison logic needs to be explicit about types. In the function above, <code>a[key] !== b[key]</code> catches this because JavaScript's strict equality distinguishes <code>true</code> from <code>"true"</code>. In Python, watch out for integers and floats comparing as equal (<code>1 == 1.0</code>), which can mask precision changes that matter to downstream typed systems.</p> <p>For a deeper look at the syntax issues and type mismatches that show up most often in real payloads, the <a href="https://jsonindenter.com/blog/5-common-json-errors?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=json-diff-compare-objects" rel="noopener noreferrer">5 Common JSON Errors</a> post on JSON Indenter's blog is worth a read — it covers the patterns that trip up developers most reliably.</p> <h2> When to reach for a library </h2> <p>For production use, libraries like <code>deep-diff</code> (Node.js) or <code>deepdiff</code> (Python) go further: they handle arrays intelligently, track moved elements, and give you structured change records you can iterate over. But for day-to-day debugging — the "why is this response different from yesterday?" question you face a dozen times a month — formatting both payloads consistently, validating them, and running a simple recursive diff gets you to the answer in under two minutes.</p> <p>What's your go-to approach when two API responses look identical but aren't? Have you ever been burned by a boolean quietly becoming a string, or a key silently renamed in a schema update? Drop your war stories in the comments — I'd love to hear how others handle this.</p> <p><em>Free tools used in this post:</em></p> <ul> <li> <a href="https://jsonindenter.com/?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=json-diff-compare-objects" rel="noopener noreferrer">JSON Formatter &amp; Validator</a> — instantly formats and beautifies JSON in your browser, client-side</li> <li> <a href="https://jsonindenter.com/validator?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=json-diff-compare-objects" rel="noopener noreferrer">JSON Validator Pro</a> — lint and validate JSON with exact line-number error reporting</li> <li> <a href="https://jsonindenter.com/all-json-tools?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=json-diff-compare-objects" rel="noopener noreferrer">All tools</a> — client-side, no sign-up, nothing leaves your browser</li> </ul> javascript webdev tutorial programming How to structure JSON for LLMs (and stop wasting tokens) Tahmid Sat, 18 Apr 2026 19:15:15 +0000 https://dev.to/pioneer10/how-to-structure-json-for-llms-and-stop-wasting-tokens-4dc6 https://dev.to/pioneer10/how-to-structure-json-for-llms-and-stop-wasting-tokens-4dc6 <p>Most developers treat JSON as an afterthought when building LLM-powered apps. They dump raw API responses into prompts and wonder why the model hallucinates, misreads fields, or burns through tokens.</p> <p>JSON structure is a first-class concern in AI engineering. Here's how to get it right.</p> <h2> The problem: LLMs don't read JSON like humans do </h2> <p>When you paste this into a prompt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"user"</span><span class="p">:{</span><span class="nl">"id"</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span><span class="nl">"name"</span><span class="p">:</span><span class="s2">"Alice"</span><span class="p">,</span><span class="nl">"preferences"</span><span class="p">:{</span><span class="nl">"theme"</span><span class="p">:</span><span class="s2">"dark"</span><span class="p">,</span><span class="nl">"notifications"</span><span class="p">:</span><span class="kc">true</span><span class="p">,</span><span class="nl">"language"</span><span class="p">:</span><span class="s2">"en"</span><span class="p">}}}</span><span class="w"> </span></code></pre> </div> <p>The model tokenizes it character by character. Every <code>{</code>, <code>"</code>, <code>:</code>, and <code>,</code> is a token. Deeply nested structures force the model to maintain more working context just to understand the shape of the data — before it even processes the values.</p> <p>The result: more tokens consumed, more room for misinterpretation, higher API costs.</p> <h2> Rule 1: Flatten before you prompt </h2> <p>Nested JSON is great for APIs. It's bad for prompts.</p> <p><strong>Before:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"profile"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"age"</span><span class="p">:</span><span class="w"> </span><span class="mi">28</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>After (flattened):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"user_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_age"</span><span class="p">:</span><span class="w"> </span><span class="mi">28</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>One level deep is almost always enough for LLM context. If the model needs to reason about relationships, describe them in natural language alongside the data — don't encode them in nesting.</p> <h2> Rule 2: Strip fields the model doesn't need </h2> <p>Every field in your JSON costs tokens. If the model doesn't need <code>created_at</code>, <code>updated_at</code>, <code>internal_id</code>, or <code>_metadata</code> — remove them before building the prompt.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">created_at</span><span class="p">,</span> <span class="nx">updated_at</span><span class="p">,</span> <span class="nx">_metadata</span><span class="p">,</span> <span class="p">...</span><span class="nx">relevant</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">apiResponse</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">prompt</span> <span class="o">=</span> <span class="s2">`Here is the user data: </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">relevant</span><span class="p">)}</span><span class="s2">`</span><span class="p">;</span> </code></pre> </div> <p>This alone can cut token usage by 20–40% on typical API responses.</p> <h2> Rule 3: Use TOON for large payloads </h2> <p>If you're passing payloads larger than ~500 tokens, consider TOON (Token-Oriented Object Notation). It's a compact alternative to JSON that strips redundant syntax while preserving structure.</p> <p><strong>JSON:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Alice"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bob"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"editor"</span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p><strong>TOON:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csvs"><code><span class="k">name</span><span class="err">|</span><span class="k">role</span> <span class="k">Alice</span><span class="err">|</span><span class="k">admin</span> <span class="k">Bob</span><span class="err">|</span><span class="k">editor</span> </code></pre> </div> <p>Token reduction: <strong>30–60%</strong> on typical datasets. The model reads it correctly because the structure is still unambiguous — just more compact.</p> <p>Try it on your own payloads with the <a href="https://jsonindenter.com/json-to-toon?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">JSON to TOON converter</a>. There's also a <a href="https://jsonindenter.com/toon-to-json?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">TOON to JSON</a> converter for decoding the model's response back.</p> <h2> Rule 4: Use JSON Schema to enforce structured outputs </h2> <p>LLMs can return JSON — but without constraints, they hallucinate keys, change types, and add fields you didn't ask for.</p> <p>The fix: define a schema and include it in your system prompt.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"object"</span><span class="p">,</span><span class="w"> </span><span class="nl">"properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sentiment"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enum"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"positive"</span><span class="p">,</span><span class="w"> </span><span class="s2">"negative"</span><span class="p">,</span><span class="w"> </span><span class="s2">"neutral"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"confidence"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"number"</span><span class="p">,</span><span class="w"> </span><span class="nl">"minimum"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"maximum"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"maxLength"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"required"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"sentiment"</span><span class="p">,</span><span class="w"> </span><span class="s2">"confidence"</span><span class="p">,</span><span class="w"> </span><span class="s2">"summary"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Tell the model: <em>"Respond only with a JSON object matching this schema. No explanation, no markdown."</em></p> <p>Then validate the output with a JSON Schema validator before trusting it. This is especially critical in agentic workflows where one bad output poisons downstream steps. You can generate a schema automatically from any sample payload using the <a href="https://jsonindenter.com/json-to-schema?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">JSON Schema generator</a> — useful as a starting point you can then tighten up.</p> <h2> Rule 5: Use Pydantic or Zod to validate at the boundary </h2> <p>Never trust raw LLM JSON output in production. Parse and validate it immediately.</p> <p><strong>Python (FastAPI / AI agents):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span> <span class="k">class</span> <span class="nc">SentimentResult</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">sentiment</span><span class="p">:</span> <span class="nb">str</span> <span class="n">confidence</span><span class="p">:</span> <span class="nb">float</span> <span class="n">summary</span><span class="p">:</span> <span class="nb">str</span> <span class="n">result</span> <span class="o">=</span> <span class="n">SentimentResult</span><span class="p">.</span><span class="nf">model_validate_json</span><span class="p">(</span><span class="n">llm_output</span><span class="p">)</span> </code></pre> </div> <p><strong>TypeScript (Next.js / tRPC):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">zod</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">SentimentResult</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">sentiment</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">'</span><span class="s1">positive</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">negative</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">neutral</span><span class="dl">'</span><span class="p">]),</span> <span class="na">confidence</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">0</span><span class="p">).</span><span class="nf">max</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="na">summary</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">max</span><span class="p">(</span><span class="mi">200</span><span class="p">),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">SentimentResult</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">llmOutput</span><span class="p">));</span> </code></pre> </div> <p>Writing these by hand from a large JSON payload is tedious. The <a href="https://jsonindenter.com/json-to-pydantic?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">JSON to Pydantic</a> and <a href="https://jsonindenter.com/json-to-zod?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">JSON to Zod</a> generators handle it instantly — paste your payload, get the model.</p> <h2> Rule 6: Use TypeScript interfaces when working with typed LLM outputs </h2> <p>If you're building in TypeScript, generating interfaces from your JSON response shapes saves time and prevents drift between what the LLM returns and what your code expects.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Generated from your actual LLM response shape</span> <span class="kr">interface</span> <span class="nx">SentimentResponse</span> <span class="p">{</span> <span class="nl">sentiment</span><span class="p">:</span> <span class="dl">'</span><span class="s1">positive</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">negative</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">neutral</span><span class="dl">'</span><span class="p">;</span> <span class="nl">confidence</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">summary</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The <a href="https://jsonindenter.com/json-to-typescript?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">JSON to TypeScript</a> converter generates these from any payload — useful when you're iterating quickly on prompt outputs and want the type system to catch regressions.</p> <h2> The full checklist </h2> <p>Before passing JSON to an LLM:</p> <ul> <li>Flatten nested structures to one level where possible</li> <li>Strip fields irrelevant to the task</li> <li>Use TOON for payloads &gt; 500 tokens</li> <li>Define a JSON Schema for expected output</li> <li>Validate output with Pydantic or Zod before use</li> <li>Use TypeScript interfaces to catch output shape regressions</li> </ul> <p>These aren't micro-optimisations. On high-volume AI apps, they compound into significant cost and reliability improvements.</p> <p>What's your current approach to JSON in LLM workflows? Drop it in the comments — I'm curious how others handle this.</p> <p><em>Free tools used in this post:</em></p> <ul> <li> <a href="https://jsonindenter.com/json-to-toon?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">JSON to TOON</a> — compress JSON for LLM context</li> <li> <a href="https://jsonindenter.com/toon-to-json?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">TOON to JSON</a> — decode TOON back to JSON</li> <li> <a href="https://jsonindenter.com/json-to-schema?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">JSON Schema Generator</a> — generate schemas from sample payloads</li> <li> <a href="https://jsonindenter.com/json-to-pydantic?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">JSON to Pydantic</a> — instant Python models</li> <li> <a href="https://jsonindenter.com/json-to-zod?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">JSON to Zod</a> — instant TypeScript validation schemas</li> <li> <a href="https://jsonindenter.com/json-to-typescript?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">JSON to TypeScript</a> — generate interfaces from any payload</li> <li> <a href="https://jsonindenter.com/all-json-tools?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=llm-json" rel="noopener noreferrer">All tools</a> — client-side, no sign-up, nothing leaves your browser</li> </ul> ai json webdev llm JWT security mistakes that will get you breached Tahmid Sat, 18 Apr 2026 19:05:55 +0000 https://dev.to/pioneer10/jwt-security-mistakes-that-will-get-you-breached-4834 https://dev.to/pioneer10/jwt-security-mistakes-that-will-get-you-breached-4834 <p>JWTs are everywhere. Auth tokens, API keys, session management — if you're building web apps, you're almost certainly using them. They're also one of the most commonly misconfigured pieces of security infrastructure in production systems.</p> <p>Here are the mistakes I see repeatedly, and exactly how to fix them.</p> <h2> Quick recap: what a JWT actually is </h2> <p>A JWT has three parts separated by dots:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>header.payload.signature </code></pre> </div> <ul> <li> <strong>Header</strong> — algorithm used to sign the token (<code>HS256</code>, <code>RS256</code>, etc.)</li> <li> <strong>Payload</strong> — the claims (user ID, roles, expiry, etc.)</li> <li> <strong>Signature</strong> — cryptographic proof the token hasn't been tampered with The payload is <strong>base64-encoded, not encrypted</strong>. Anyone who intercepts your token can read everything in it. This matters more than most developers realise.</li> </ul> <p>If you want to see this in action, paste any token into a <a href="https://jsonindenter.com/jwt-decoder?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=jwt-security" rel="noopener noreferrer">JWT decoder</a> and read the payload in plain text — no tools, no secret needed.</p> <h2> Mistake 1: Using the <code>none</code> algorithm </h2> <p>This is the most catastrophic JWT vulnerability. Some libraries accept a token signed with <code>alg: none</code> — meaning no signature at all.</p> <p>An attacker can craft a token like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Header</span><span class="w"> </span><span class="err">(base</span><span class="mi">64</span><span class="w"> </span><span class="err">decoded)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"none"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JWT"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Payload</span><span class="w"> </span><span class="err">(base</span><span class="mi">64</span><span class="w"> </span><span class="err">decoded)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1234"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>If your server accepts it, the attacker just gave themselves admin access with no credentials.</p> <p><strong>Fix:</strong> Explicitly allowlist the algorithms your server accepts. Never allow <code>none</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Node.js / jsonwebtoken</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">secret</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">HS256</span><span class="dl">'</span><span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h2> Mistake 2: Weak or hardcoded secrets </h2> <p><code>HS256</code> is a symmetric algorithm — the same secret signs and verifies tokens. If your secret is weak or leaked, every token ever issued is compromised.</p> <p>Common offenders:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>secret password jwt_secret mysecretkey your-256-bit-secret ← literally from the JWT.io example </code></pre> </div> <p><strong>Fix:</strong> Generate secrets with sufficient entropy and store them in environment variables, never in code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate a strong secret</span> node <span class="nt">-e</span> <span class="s2">"console.log(require('crypto').randomBytes(64).toString('hex'))"</span> </code></pre> </div> <p>For production systems with multiple services, prefer <code>RS256</code> (asymmetric) — the private key signs, the public key verifies. A compromised verification service can't forge tokens. You can test tokens signed with different algorithms using the <a href="https://jsonindenter.com/jwt-encoder?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=jwt-security" rel="noopener noreferrer">JWT encoder</a> to understand exactly what gets embedded.</p> <h2> Mistake 3: Storing JWTs in localStorage </h2> <p><code>localStorage</code> is accessible to any JavaScript running on your page. A single XSS vulnerability — in your code, a dependency, or a third-party script — exposes every stored token.</p> <p><strong>Fix:</strong> Store JWTs in <code>HttpOnly</code> cookies. They're invisible to JavaScript entirely.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">jwt</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// not accessible via JS</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// HTTPS only</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">strict</span><span class="dl">'</span> <span class="c1">// CSRF protection</span> <span class="p">});</span> </code></pre> </div> <p>Yes, this requires handling CSRF. That's a better problem to have than XSS token theft.</p> <h2> Mistake 4: No expiry — or expiry that's too long </h2> <p>A JWT with no <code>exp</code> claim is valid forever. If it's leaked, stolen, or the user's account is compromised, you have no way to invalidate it short of rotating your signing secret (which invalidates every token).</p> <p><strong>Fix:</strong> Set short expiry for access tokens, longer for refresh tokens.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">secret</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">15m</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">secret</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span> <span class="p">});</span> </code></pre> </div> <p>15 minutes for access tokens is a common production standard. Refresh tokens should be rotated on use and stored server-side so they can be revoked.</p> <h2> Mistake 5: Putting sensitive data in the payload </h2> <p>The payload is not encrypted. It's trivially decoded by anyone with the token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"eyJ1c2VyIjoiYWxpY2UiLCJwYXNzd29yZCI6InNlY3JldCJ9"</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="c"># {"user":"alice","password":"secret"}</span> </code></pre> </div> <p>I've seen production tokens containing passwords, full PII, credit card fragments, and internal system details. All readable by anyone who intercepts the token. Try it yourself — paste that string into a <a href="https://jsonindenter.com/jwt-decoder?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=jwt-security" rel="noopener noreferrer">JWT decoder</a> and see exactly what's exposed.</p> <p><strong>Fix:</strong> Put only the minimum identifying information in the payload.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user_abc123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1735689600</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Look up everything else server-side using the <code>sub</code> claim. If you need the payload encrypted, use JWE (JSON Web Encryption) — a different standard entirely.</p> <h2> Mistake 6: Not validating claims server-side </h2> <p>Libraries verify the signature automatically — but claim validation is on you.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Bad — only verifies signature</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">secret</span><span class="p">);</span> <span class="c1">// Good — verify signature AND validate claims</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">secret</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">HS256</span><span class="dl">'</span><span class="p">]</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">exp</span> <span class="o">&lt;</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Token expired</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">iss</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">https://yourapp.com</span><span class="dl">'</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid issuer</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">aud</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">your-api</span><span class="dl">'</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid audience</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>Always validate <code>exp</code>, <code>iss</code> (issuer), and <code>aud</code> (audience) explicitly — especially if tokens from multiple issuers could reach your API.</p> <h2> Mistake 7: No token revocation strategy </h2> <p>JWTs are stateless by design — once issued, they're valid until expiry. But what happens when:</p> <ul> <li>A user logs out</li> <li>An account is compromised</li> <li>A user's role changes mid-session If you're relying purely on token expiry, a stolen 15-minute token is valid for up to 15 minutes after the breach is detected.</li> </ul> <p><strong>Fix:</strong> Maintain a server-side revocation list (denylist) for sensitive operations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// On logout</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="s2">`revoked:</span><span class="p">${</span><span class="nx">jti</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EX</span><span class="dl">'</span><span class="p">,</span> <span class="mi">900</span><span class="p">);</span> <span class="c1">// expire after token TTL</span> <span class="c1">// On verify</span> <span class="kd">const</span> <span class="nx">isRevoked</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`revoked:</span><span class="p">${</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">jti</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">isRevoked</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Token revoked</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>Add a <code>jti</code> (JWT ID) claim — a unique identifier per token — so you can target specific tokens for revocation without rotating your secret.</p> <h2> The JWT security checklist </h2> <ul> <li>Explicitly allowlist algorithms — never allow <code>none</code> </li> <li>Use strong, randomly generated secrets (64+ bytes)</li> <li>Prefer <code>RS256</code> for multi-service architectures</li> <li>Store tokens in <code>HttpOnly</code> cookies, not <code>localStorage</code> </li> <li>Set short expiry on access tokens (15 minutes)</li> <li>Put only non-sensitive identifiers in the payload</li> <li>Validate <code>exp</code>, <code>iss</code>, and <code>aud</code> claims explicitly</li> </ul> <h2> - Implement token revocation with a <code>jti</code> denylist </h2> <p>JWTs are a solid auth primitive when implemented correctly. The problems almost always come from default configurations and library trust — not the spec itself.</p> <p>What JWT issue have you encountered in production? Drop it in the comments.</p> <p><em>Free tools used in this post:</em></p> <ul> <li> <a href="https://jsonindenter.com/jwt-decoder?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=jwt-security" rel="noopener noreferrer">JWT Decoder</a> — inspect any token without a secret</li> <li> <a href="https://jsonindenter.com/jwt-encoder?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=jwt-security" rel="noopener noreferrer">JWT Encoder</a> — generate and sign JWTs for testing</li> <li> <a href="https://jsonindenter.com/all-json-tools?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=jwt-security" rel="noopener noreferrer">All JSON &amp; JWT tools</a> — everything runs client-side, nothing leaves your browser</li> </ul> security json webdev jwt 5 JSON tricks most developers don't use Tahmid Sat, 18 Apr 2026 18:01:11 +0000 https://dev.to/pioneer10/5-json-tricks-most-developers-dont-use-4jbi https://dev.to/pioneer10/5-json-tricks-most-developers-dont-use-4jbi <p>JSON is everywhere, but most developers only use <code>JSON.parse()</code> and <code>JSON.stringify()</code>. Here are a few tricks worth knowing.</p> <h2> 1. Pretty-print in one line </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">));</span> </code></pre> </div> <p>The third argument is your indent size. Instant readability.</p> <h2> 2. Filter keys on stringify </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">user</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">],</span> <span class="mi">2</span><span class="p">);</span> </code></pre> </div> <p>Pass an array of keys to only include those fields. Great for logging without exposing sensitive data.</p> <h2> 3. JSONPath for deep queries </h2> <p>Instead of chaining <code>.map()</code> and <code>.filter()</code>, JSONPath lets you query nested JSON like a database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">$.users</span><span class="p">[</span><span class="err">?(@.age</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="mi">30</span><span class="err">)</span><span class="p">]</span><span class="err">.name</span><span class="w"> </span></code></pre> </div> <h2> 4. Auto-repair broken JSON </h2> <p>LLMs often return slightly malformed JSON — trailing commas, single quotes, missing brackets. Instead of debugging it manually, a repair function can fix most common issues automatically.</p> <h2> 5. Reduce LLM token usage with compact formats </h2> <p>If you're passing large JSON payloads as context to GPT or Claude, consider stripping whitespace at minimum. Better yet, look into TOON (Token-Oriented Object Notation) — a compact alternative that cuts token count by 30–60% without losing structure.</p> <p>I built <strong><a href="https://jsonindenter.com/?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=json-tricks" rel="noopener noreferrer">jsonindenter.com</a></strong> as a free client-side toolkit that covers all of the above — JSONPath tester, JSON repair, TOON converter, Zod/Pydantic generators, JWT tools, and more. No sign-up, no ads, your data never leaves your browser.</p> <p>What JSON tricks do you swear by? Drop them in the comments 👇</p> webdev javascript json showdev