This is probably a super noob question, so please bear with. I’m using the jsonwebtoken library in Node to generate a JWT. I can copy and past this token into the debugger at jwt.io and see my header and all my payload data without a proper “Verify Signature” field.
How is this so? Isn’t my data supposed to be encrypted using the signature? Can a hacker simply copy an access token from an HTTP response and paste it into the JWT debugger and view all the data within the token without knowing the " secretOrPrivateKey"?
I apologize for the delayed response on this one but wanted to get it out there
While JWTs can be encrypted (JWE), Okta/Auth0 at this time does not support them. The JWTs that Auth0 issues are signed rather than encrypted so you’re correct in thinking that they could be intercepted and decoded revealing the data inside. Long story short, with a signed JWT you can verify that the data hasn’t been changed and is thus valid. Confidential information shouldn’t be stored in tokens. The following resources provide some useful information on token best practices, security, and more in-depth technical details: