Auth0 Home Blog Docs

Is the payload safe?

jwt
payload
security-questions

#1

I am developing a project using json web tokens. I was wondering if it is possible to edit the payload part of the token from the client side (without knowing the key) and send the token with that payload changed to the API, and if it is valid.
In my case I would like to store the users role in the token, so when the client user returns the token to the API, I can check his role and give him access to certain actions or not. But of course, in case you can edit the payload from the client, without modifying the signature and the server accepts the token as a valid one, it would not be safe because anyone can edit their role inside the token.
Thanks!


#2

A JWT signature is generated based on the header and payload, if the header or payload are modified the JWT will not validate. Yes, it’s safe.