Auth0 Home Blog Docs

JWT validating correctly for different secrets.



I am using JWT to generate secure tokens. I am using HS512 algorithm. However, I have found that if I use “ThisIsSecret” as encryption secret and “ThisIsSecretA” as decryption secret it is still validating correctly. Since, on both sides keys are different JWT validation should fail.

Can anyone please explain me what is happening here and how should I go about choosing my secret?


The JWT format supports both signing and encryption, you mention use of HS512 so I’m assuming the mentioned secret relates to signing and not so much to encryption. The JWT specification is sufficiently complex to warrant the use of well established libraries instead of doing custom implementations. In addition you can even use services like Auth0 to take care of the issuance part and key generation for you.

Having said that and in relation to the problem you described the provided information is a bit to little to provide any definitive answer. Also, have in mind, this is a community that focus on support for integrations with the Auth0 service so although JWT’s are on-topic, the actual signing is handled by the service itself so you may want to consider posting more general questions in other Q&A forums like StackOverflow as you’ll likely reach a wider audience. If you choose to do that you should also include more information, in particular, sample code that demonstrates the situation will likely get you quicker replies in SO.