Why does jwt.verify() give "invalid signature"?

owendall · October 13, 2018, 4:23pm

In the JWT.io debugger it says it is verified.

jerdog · October 13, 2018, 5:31pm

In the docs for this:

it mentions that if you’re specifying the wrong key to verify against you’ll get that error:

the jwt.verify() method supports a secretOrPublicKey argument. This should be populated with a string or buffer containing either the secret (for HS256 ), or the PEM encoded public key (for RS256 ).

owendall · October 13, 2018, 8:45pm

Thanks for your response. I used the same secret key as I pasted into the JWT.io debugger In the screen capture.

Let me know if this is not the correct code:

var decoded = jwt.verify(token, secret_key);

owendall · October 13, 2018, 8:48pm

Would it be helpful If I included the token and the secret used? It is not in production, just testing.

owendall · October 14, 2018, 12:47am

Hi Jeremy,

Let me know what I am doing wrong. Must be something simple.

This example generated with the Auth0 example. The signature verification works in the JWT.io debugger, but not in my node code:

[mod edit: removing]

jerdog · October 14, 2018, 8:00am

Ok so will need to review. The first thing that comes to mind is that you could be mixing up your secret and public keys?

No - regardless of if in production or not you should never post them publicly. You can send them via DM.

owendall · October 12, 2018, 2:19pm

I am just starting to test using Auth0 for one of our apps. This is a noob question…

I have successfully configured an app and logged in a user using the /01-Login/ javascript example in the Auth0 github.
I tested the generated id_token on JWT.io along with the client secret, the debugger showed the signature was verified
However, when I pass the id_token to an AWS Lambda function, jwt.verify() gives me the error "invalid signature.’

It appears I should not be using the id_token for from an application to check for further permissions? Only the API builder in the Auth0 management console has the option to using the “signing secret” and not the “client secret.”

I was attempting to test passing in the id_token created in the /01-Login/ javascript example in the Auth0 github repo to an AWS lambda function for verification.

owendall · October 12, 2018, 3:46pm

Using the latest version of jsonwebtoken in node.js

var decoded = jwt.verify(token, secret_key);

owendall · October 12, 2018, 9:50pm

I also tried jwt.verify() on the access token generated by a test API setup, using the signing secret. Also get “invalid signature” usin jst.verify() even though it appears correct using the JWT.io debugger.

I must be missing something very fundamental. Help appreciated!

jerdog · October 14, 2018, 11:12am

You might find helpful information in the solution on this thread:

owendall · October 14, 2018, 1:01pm

I reviewed that before I posted my issue. I switched to using the signing secret. Still no luck,.

owendall · October 14, 2018, 7:11pm

The crux of the matter is: Signature verification works on your (JWT.io) debugger, but not using the the “jsonswebtoken” (jwt) library here:

kimcodes · November 5, 2018, 8:49pm

@owendall are you still experiencing issues with verifying your tokens?

jerdog · January 22, 2019, 12:00am

This topic was automatically closed after 14 days. New replies are no longer allowed.