What data should I obscure when showing my Auth0 setup and decoded JWTs in a video?

I know the client secret is private data, the dashboard UI conveniently masks it by default. But is there any other data I should be sure to obscure that is visible in the Auth0 dashboard / unencoded JWTs when showing my setup to others via a video? Is there any data in a standard JWT payload that I should mask from others? For instance, is one’s ID with an identity provider considered sensitive data?

Thanks!

Hey there @housecor, after checking with our support team they felt depending on which scopes you are requesting (or if none, you’ll get openid profile email), you will have access to a full user profile. We would recommend creating a test user with a test email and filming the content that way. I hope this helps answer your question!

2 Likes

Thanks James! That makes sense, and I did that for most of the video, but I used my real Gmail account in spots when showing identity providers. Hence, my question about what I should mask in my JWT/dashboard. :slight_smile:

Yeah I would just say be mindful what you are showing when exploring the dashboard on video with content like user emails, client IDs, etc. Be sure to share the link with us when you post the video!

Thanks James! This is for an upcoming Pluralsight course: “Securing React Apps with Auth0”. Should drive you all a lot of traffic since it will be on the React path.

I’d welcome feedback if anyone on the Auth0 team wants to review my demo. :slight_smile:

Ping me on gmail if interested. Same as my screen name here.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.