Auth0 Home Blog Docs

Why JWT verify tampered tokens?



I’ve been doing tests with token example and I don’t get why JWT Debugger verifies this token:

and also this one:

with the same secret key (“your-256-bit-secret”). I must be missing something, can anyone explain it to me?



This is just a guess, but the two tokens differ ONLY in the last two bits:
0xC = 1100
0xF = 1111
I would guess these last two bits are not really part of the payload.
If we do 0x8 as the last bit (1000) the signature is invalid.
If we do D and E, the signature is also verified.
So, I’d guess these are just unused bits.



You can replace that last character with a ‘c’, ‘d’, ‘e’, or ‘f’ and it is considered valid. Anything else and it is invalid. No idea why though.


I wanted to reach out and let you know to please feel free to visit us again if you have any additional questions! Thanks!