Never Put Sensitive Data in Your JWT Payload

Overview

Do you use JWT for your Authentication?. What the data do you store in the JWT payload?. some non-sensitive data like user_id or sensitive data like password?. If you storing sensitive data in your JWT Payload you should stop it from now.

In this article i will give you the reason why you shouldn't store sensitive data in your JWT payload

What is JSON Web Token?

Json Web Token(JWT) is an open standard used for transmitting data between applications in JSON format. JWT is digitally signed in the backend app, so the data cannot be modified by other parties.

JWT Structure

by default, JWT structure consists 3 part. Header, Payload dan Signature. Every part is separated by dot symbols (.). So, it will looks like

header.payload.signature

And Here's the example of JSON Web Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNzA4MzQ1MTIzLCJleHAiOjE3MDgzNTUxMjN9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

Header is containing information the type of token and signing algorithm which is encoded in base64.

when you go to base64-decode and decode this header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

it will showing

{"alg":"HS256","typ":"JWT"}

Payload

Basically Payload is the data that you want to send or people call it claims. claims is divided into 2 type public claims and private claims

• Registered Claims

registered claims is type of claims that already registered by jwt.io which recognized as a global standard. the example of registered claims are:

• iss
• sub
• aud
• exp
• nbf
• iat
• jti

to see full registered claims, you can visit this link

• Public Claims

Public Claims is common claims that created by developer. this claims is usually used by most developers. Developers recommended to register this claims to IANA JWT registry to avoid the collision between claims that has same meaning

• Private Claims

Private Claims is custom claims which used by developer to share information between parties and already agree by each parties. This Claims usually used to share information that not included in registered claims and public claims

Now, try to decode the payload on base64-decode

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNzA4MzQ1MTIzLCJleHAiOjE3MDgzNTUxMjN9

And this is what you got

{"sub":"1234567890","name":"John Doe","iat":1708345123,"exp":1708355123}

Looks, the data can be decoded easily!!!. This is the reason why you you should not storing sensitive data in your JWT Payload

Signature

Signature is used to Verify if the data is coming from valid parties. This is what makes JWT is secure. let me explain

Signature is containing encoded header, the encoded payload and a secret. they are signed using algorithm that defined in header.

For example, we are using HMACSHA256 algorithm to sign the signature. The system will created the signature like this

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

When we send jwt token to backend, the backend will verify if the token has valid signature. with this concept, the hacker cannot abuse the system by modifying the payload. without secret key the hacker cannot generate the valid signature

Conclusion

Payload in JWT can be decoded and accessible for public. so, be aware with the data that you sent in payload.

Hacker cannot generate valid signature without secret key. Make sure your secret key is safe