JWT.io Debugger does validate at all. Considers ANY secret as valid. How is this possible?

suchislife801 · September 1, 2023, 1:40pm

Go to JWT.io right now and under Verify Signature which contains “your-256-bit-secret” go ahead and type anything in. I mean ANYTHING. What do you see?

Signature Verified.

Go to JWT.io again, then copy & paste your perfectly fine custom JWT in the Encoded Box. Now enter your custom Secret. What do you see?

Signature Verified.

Now go ahead modify your custom Secret under Verify Signature. Yep, go ahead and smash buttons on your keyboard. Type anything. Yes, really. What do you see?

Signature Verified.

How is this possible?

tyf · September 1, 2023, 6:23pm

I believe this answers your question:

suchislife801 · September 11, 2023, 5:30pm

And you couldn’t just code it so it works both ways?

system · September 25, 2023, 5:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to verify signature in the debugger for RS256? JWT.io jwt-debugger , jwtio	2	5074	August 27, 2019
Why JWT verify tampered tokens? JWT.io	4	4344	December 5, 2018
Https://jwt.io/ issue JWT.io	1	3143	January 29, 2020
Why does jwt.verify() give "invalid signature"? JWT.io	13	92721	January 22, 2019
JWT.io - HS256 validation false positivites AFTER initial verification? JWT.io bug , jwt	0	966	August 29, 2023