JWT.io Debugger does validate at all. Considers ANY secret as valid. How is this possible?

suchislife801 · September 1, 2023, 1:40pm

Go to JWT.io right now and under Verify Signature which contains “your-256-bit-secret” go ahead and type anything in. I mean ANYTHING. What do you see?

Signature Verified.

Go to JWT.io again, then copy & paste your perfectly fine custom JWT in the Encoded Box. Now enter your custom Secret. What do you see?

Signature Verified.

Now go ahead modify your custom Secret under Verify Signature. Yep, go ahead and smash buttons on your keyboard. Type anything. Yes, really. What do you see?

Signature Verified.

How is this possible?

tyf · September 1, 2023, 6:23pm

I believe this answers your question:

suchislife801 · September 11, 2023, 5:30pm

And you couldn’t just code it so it works both ways?

system · September 25, 2023, 5:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.