Auth0 Home Blog Docs

"alt": "none" validation bug on



On, if I change “alg”: “HS256” to “alg”: “none”, then the signature still passes validation. I can then change the body contents at will. This seems to be the very bug that the blog post in the warning on the same page warns about (

To be clear: if the header is eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0
then the token validates even though a signature is present


Thanks for letting us know, I have logged this with the engineering team to fix.