Can I Skip Verification of Information Encoded in JWTs?

bittere · October 10, 2024, 2:44am

I have a little app that uses JWT to make some transactions (on a virtual “currency”, like tokens or points or credits). I don’t need it to be super secure (it’s only going to be online for maybe 6 hours), and adding a database just increases overhead and response time from the server for every transaction.

For example, say a JWT contains the user’s current balance. It is signed by the server and sent to the client. Then, the client sends back the JWT every time it makes a transaction.

Are JWTs secure enough to create that I can just verify the signature and skip checking from DB? In my example, can I just proceed with the transaction without checking from a DB whether the user has enough balance to proceed with the transaction?

dawid.matuszczyk · October 11, 2024, 3:39pm

Hi @bittere

Welcome to the Auth0 Community!

Thank you for asking your question. You shouldn’t rely solely on signature validation due to not trusting client-side data; if possible, you should always verify the content of the JWT with your source of truth.

Thanks
Dawid

system · October 25, 2024, 3:40pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Why jwt token allowing to decrypt the token without secret key(signature) JWT.io	2	16882	August 27, 2019
Validating the JWT token with database in php JWT.io php	2	4492	July 8, 2020
Can JWT easily be hacked by Debugger? JWT.io debugger	4	1788	April 11, 2023
JWT best practice and understanding JWT.io	4	2742	March 19, 2022
Why does jwt.verify() give "invalid signature"? JWT.io	13	92709	January 22, 2019

Can I Skip Verification of Information Encoded in JWTs?

Related Topics