If the HEADER the same and the PAYLOAD the same, the TOKEN the same?

if the TOKEN expires, and you login next time, assuming that the HEADER still uses the same algorithm, and the PAYLOAD remains unchanged(the user information remains unchanged), is the calculated signature by the server the same as last time? The TOKEN issued twice isn’t the same?

Hi @13524063481,

Welcome to the Auth0 Community!

I wouldn’t expect the payload to be the same, even if the user data hasn’t changed. Tokens have some claims to indicate when they are issued and when they expire (iat and exp). When these claims change, the signature changes.

1 Like

So can I understand that the issued time and expiration time you mentioned will be reflected in payload both all , so that each calculated signature and token are different?

Any change in the payload will cause the token signature to differ. Hope this helps!

1 Like

Perhaps what you want is to understand the registered claims. More specifically, jti.

RFC 7519 - JSON Web Token (JWT)

Section 4.1.7. “jti” (JWT ID) Claim

The “jti” (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The “jti” claim can be used to prevent the JWT from being replayed. The “jti” value is a case- sensitive string. Use of this claim is OPTIONAL.

const jti: string = window.crypto.randomUUID();

Thanks for the added context @suchislife801

Thank you for your reply

1 Like

Thank you for your help

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.