Common misconception: "JWTs are encrypted, so I can store data in them."
Reality: a standard JWT's header and payload are only Base64-encoded —
fully readable by anyone. Paste one into any decoder and the claims fall right
out. The signature proves the token wasn't tampered with; it does NOT hide
the contents.
So: never put secrets in a JWT payload.
While we're clearing up auth confusion, three things that look similar but
aren't:
• Encoding (Base64) → representation, reversible, no key
• Encryption (AES) → protection, reversible with a key
• Hashing (SHA-256) → one-way, can't be reversed (why passwords are hashed)
I wrote a from-scratch guide to API authentication — Basic Auth, API keys,
bearer tokens, JWT, and OAuth 2.0 — plus how to actually test each one:
👉 https://www.orbittest.dev/blog/api-authentication-oauth-jwt-tokens
What auth method does your current project use?
Top comments (0)