Can JWT easily be hacked by Debugger?

This is probably a super noob question, so please bear with. I’m using the jsonwebtoken library in Node to generate a JWT. I can copy and past this token into the debugger at jwt.io and see my header and all my payload data without a proper “Verify Signature” field.

How is this so? Isn’t my data supposed to be encrypted using the signature? Can a hacker simply copy an access token from an HTTP response and paste it into the JWT debugger and view all the data within the token without knowing the " secretOrPrivateKey"?

Please clarify, thanks!

Hey there @Tone welcome to the community!

I apologize for the delayed response on this one but wanted to get it out there :slight_smile:

While JWTs can be encrypted (JWE), Okta/Auth0 at this time does not support them. The JWTs that Auth0 issues are signed rather than encrypted so you’re correct in thinking that they could be intercepted and decoded revealing the data inside. Long story short, with a signed JWT you can verify that the data hasn’t been changed and is thus valid. Confidential information shouldn’t be stored in tokens. The following resources provide some useful information on token best practices, security, and more in-depth technical details:

Hope this helps!

Much appreciated @Tyf! that answers my question. I’ll check out the docs you sent now :slight_smile:

1 Like

No problem, happy to help! :rocket:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.