Auth0 Home Blog Docs

Why jwt token allowing to decrypt the token without secret key(signature)


#1

If i have a jwt token,if i try to decode in jwt.io,it allowing decryption without allowing secret key or signature,why it has this kind of ability ,is any reason for that?


#2

That is how jwt’s work. Yes, the user can decrypt it and see the data, but if they modify it, when it gets back to the server it will not match and therefore be invalid.

For this reason do not store any sensitive data in the jwt.