Auth0 Home Blog Docs

Token validation with



Hello, I have a question.
We have developped for our application our own JWT token creator + parser in Java. We used no lib, but just used the Java SDK and followed the relevant RFC spec or other descriptions found elsewhere.
During development we used the to create tokens and to verify our own generated tokens. All works fine.

Purpose is to validate tokens generated by another party. Now we did first integration tests but found that the other party generates tokens, which our validator regards as invalid. On the other hand accepts these tokens. To us these tokens definitely look like base64 rather than base64URL encoded which in our opinion is not spec conform. works in two direction. So if afterwards we use the tool to generate the token, it generates a different token, our validator accepts.

Can you tell us a reason why the other party token can be successfully validated with the tool?


We analyzed the third party token and the validator behaviour:
As assumed the other party uses Base64 rather than Base64URL encoding.
The validator obviously uses the received encoded header/payload string to generate the signature to compare with the received signature. According to, chap. 5.2.8 this is wrong, because the comparison signature must be generated from a new generated header/payload string. If you do this, the Base64URL encoding problem would become obvious, and thus the token validation would fail.