Need to know more details for jwt.decode fucntionality in python
Since you’re asking about jwt.decode, I assume you’re using node-jsonwebtoken. From the repository:
- (Synchronous) Returns the decoded
payload without verifying if the
signature is valid. Warning: This
will not verify whether the signature
is valid. You should not use this for
untrusted messages. You most likely
want to use jwt.verify instead.
- (Asynchronous) If a callback is
supplied, function acts
asynchronously. The callback is
called with the decoded payload if
the signature is valid and optional
expiration, audience, or issuer are
valid. If not, it will be called with
the error. - (Synchronous) If a callback is not
supplied, function acts
synchronously. Returns the payload
decoded if the signature is valid and
optional expiration, audience, or
issuer are valid. If not, it will
throw the error.
The jwt.decode method only decodes the token and should only every be used on trusted messages. Since jwt.verify also decodes the token after verification, it provides a safer and more secure way to decode the token, so it should be the preferred method.
2 Likes