If i have a jwt token,if i try to decode in jwt.io,it allowing decryption without allowing secret key or signature,why it has this kind of ability ,is any reason for that?
That is how jwt’s work. Yes, the user can decrypt it and see the data, but if they modify it, when it gets back to the server it will not match and therefore be invalid.
For this reason do not store any sensitive data in the jwt.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.