Auth0 Home Blog Docs

Why JWT verify tampered tokens?



I’ve been doing tests with token example and I don’t get why JWT Debugger verifies this token:

and also this one:

with the same secret key (“your-256-bit-secret”). I must be missing something, can anyone explain it to me?



This is just a guess, but the two tokens differ ONLY in the last two bits:
0xC = 1100
0xF = 1111
I would guess these last two bits are not really part of the payload.
If we do 0x8 as the last bit (1000) the signature is invalid.
If we do D and E, the signature is also verified.
So, I’d guess these are just unused bits.



You can replace that last character with a ‘c’, ‘d’, ‘e’, or ‘f’ and it is considered valid. Anything else and it is invalid. No idea why though.


I wanted to reach out and let you know to please feel free to visit us again if you have any additional questions! Thanks!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.