re: A Brief Introduction to Securing Applications with JWT VIEW POST


How can JWT be secure, if I can see the content inside it regardless of having the SECRET KEY?



The attacker can't benefit from having this data, since it doesn't have any sensitive information as mentioned in the article. Any user can 'claim' that he has the permission to do anything till whatever expiry date he chooses but he needs to prove that using the signature which he doesn't have control on.


That's because you haven't encrypted the token with any secret key, only using JWT's default setup. It's your own responsibility to add encryption to the token. That said, the token shouldn't be used for secret data, just data relevant to access authorization. The security lies with the signature, which prevents the payload and header from being manipulated, since it would result in a different signature.


I am talking about JWT at the top of this article.

The decoded is

  "iss": "mywebsite.com",
  "iat": null,
  "exp": 51437808000,
  "aud": "",
  "sub": "",
  "id": "1234591",
  "name": "Mary Poppins",
  "role": "editor"

Not sure if it is safe as sometimes it contains email and phone number as well. stackoverflow.com/questions/388975...

It's not inherently safe, no; not unless you apply an encryption scheme to it. But it's not meant to be. JWT, as the name implies, is just a stateless self-contained token used to identify the entity making a request, using a token that was issued by a trusted authority after the entity authenticated itself. It's essentially an immutable receipt for your authentication, that you can then show to the API server that "yes, I am authenticated - this is who I am", without needing any maintained state on the API server. The API server will then use this information to validate whether you have access to the operations your trying to carry out.

The token It's not a good place for transmitting sensitive information in general, and especially not when it's not encrypted.


The data in JWT isn’t secure, it’s just signed so you can know whether to trust it. It’s also possible to encrypt data before putting it into a JWT...but if it’s really so sensitive it probably doesn’t belong in there anyway.

code of conduct - report abuse