FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    If I can decode a JWT, then how are they secure?

    Scheduled Pinned Locked Moved
    Q&A
    0
    2
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      akira
      last edited by

      FusionAuth issues a lot of JWTs. But since I can grab any JWT from the browser and decode it using a JWT debugger, how could this be considered secure?

      1 Reply Last reply Reply Quote 0
      • A
        akira
        last edited by

        Good question.

        JWTs are either signed or encrypted. For the most part, you will encounter signed JWTs. When a JWT is created by an authorization server, it is signed. The signature essentially functions as a way to say "this payload has been signed using this algorithm. If the payload is different than what was signed, then this JWT is invalid." It is important to not pass sensitive data in a JWT payload for the reason that it can be viewed, but if a malicious actor tries to tamper with the JWT, the signature will no longer match it, and it will be invalid.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post