JWT.io Debugger does validate at all. Considers ANY secret as valid. How is this possible?

  1. Go to JWT.io right now and under Verify Signature which contains “your-256-bit-secret” go ahead and type anything in. I mean ANYTHING. What do you see?

Signature Verified.

  1. Go to JWT.io again, then copy & paste your perfectly fine custom JWT in the Encoded Box. Now enter your custom Secret. What do you see?

Signature Verified.

  1. Now go ahead modify your custom Secret under Verify Signature. Yep, go ahead and smash buttons on your keyboard. Type anything. Yes, really. What do you see?

Signature Verified.

How is this possible?

Hey there @suchislife801 !

I believe this answers your question:

And you couldn’t just code it so it works both ways?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.