Auth0 Home Blog Docs

Why does jwt.verify() give "invalid signature"?


#1

In the JWT.io debugger it says it is verified.


Jwt.verify fails although token and key work in the JWT.io debugger
#2

In the docs for this:

it mentions that if you’re specifying the wrong key to verify against you’ll get that error:

the jwt.verify() method supports a secretOrPublicKey argument. This should be populated with a string or buffer containing either the secret (for HS256 ), or the PEM encoded public key (for RS256 ).


#3

Thanks for your response. I used the same secret key as I pasted into the JWT.io debugger In the screen capture.

Let me know if this is not the correct code:

var decoded = jwt.verify(token, secret_key);


#4

Would it be helpful If I included the token and the secret used? It is not in production, just testing.


#5

Hi Jeremy,

Let me know what I am doing wrong. Must be something simple.

This example generated with the Auth0 example. The signature verification works in the JWT.io debugger, but not in my node code:

[mod edit: removing]


#6

Ok so will need to review. The first thing that comes to mind is that you could be mixing up your secret and public keys?

No - regardless of if in production or not you should never post them publicly. You can send them via DM.


#8

I am just starting to test using Auth0 for one of our apps. This is a noob question…

  1. I have successfully configured an app and logged in a user using the /01-Login/ javascript example in the Auth0 github.

  2. I tested the generated id_token on JWT.io along with the client secret, the debugger showed the signature was verified

  3. However, when I pass the id_token to an AWS Lambda function, jwt.verify() gives me the error "invalid signature.’

It appears I should not be using the id_token for from an application to check for further permissions? Only the API builder in the Auth0 management console has the option to using the “signing secret” and not the “client secret.”

I was attempting to test passing in the id_token created in the /01-Login/ javascript example in the Auth0 github repo to an AWS lambda function for verification.


#9

Using the latest version of jsonwebtoken in node.js

var decoded = jwt.verify(token, secret_key);


#10

I also tried jwt.verify() on the access token generated by a test API setup, using the signing secret. Also get “invalid signature” usin jst.verify() even though it appears correct using the JWT.io debugger.

I must be missing something very fundamental. Help appreciated!


#11

You might find helpful information in the solution on this thread:


#12

I reviewed that before I posted my issue. I switched to using the signing secret. Still no luck,.


#13

The crux of the matter is: Signature verification works on your (JWT.io) debugger, but not using the the “jsonswebtoken” (jwt) library here:

https://runkit.com/owendall/5bc28965f7b84200120e6f04


#15

@owendall are you still experiencing issues with verifying your tokens?