"Think of it like a secret message in the form of a cryptographically signed note, which can only be understood by the intended recipient."
Well, not exactly. Anybody can reverse the content of the JWT. You just can't modify them or create your own if the server is using a private/public key signature to verify the JWTs. But if you steal a JWT, you can certainly read its content.
"Think of it like a secret message in the form of a cryptographically signed note, which can only be understood by the intended recipient."
Well, not exactly. Anybody can reverse the content of the JWT. You just can't modify them or create your own if the server is using a private/public key signature to verify the JWTs. But if you steal a JWT, you can certainly read its content.
Not always ... The problem here is : "jwt is an abstract" . You will never create a jwt .
You will create a jws or a jwe .
Jws is a signed jwt, the one presented here, no security about reading the body .
Jwe is an encrypted jwt, you can't read it without the private key .
Jws can be useful because you can read the expiration, or validate the signature with a jwks .. but the content is readable
Oh cool, I was just using jwt.io as my source so I guess that's a jws implementation.