10

I signed a jwt in nodejs with the below snipet.

var jwtoken = jwt.sign({ email: 'test@test.com', name: 'test' }, 'abcd');

I got the below token after signing

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAdGVzdC5jb20iLCJuYW1lIjoidGVzdCIsImlhdCI6MTYzNjE4MjYwOX0.07FXjm1lKEIiU_QOMEEOFzhsC0vtKt4PFoW-7YHHzyM

I wanted to verify this with jwt.io when I paste the JWT in jwt.io, I can see the the site says the "Signature Verified" for whatever key I provide(I dont need to provide abcd which is my actual key). I was expecting that the key would be required to determine if a signature is valid. How does the jwt.io determine if a jwt is valid without the original key.

ArunJose
  • 1,999
  • 1
  • 10
  • 33
  • It says "Invalid Signature" to me – slebetman Nov 06 '21 at 07:34
  • https://static.rcgroups.net/forums/attachments/2/6/7/7/4/4/a15524259-81-Screenshot%20at%202021-11-06%2015-34-34.png – slebetman Nov 06 '21 at 07:37
  • @slebetman based on the question title *Signature Verified even when key is not provided* your statement is correct. When no secret is provided the result is 'invalid signature'. However, in the question the OP writes *"Signature Verified" for whatever key I provide*. That's the case covered in my answer. – jps Nov 06 '21 at 08:14

2 Answers2

29

The https://jwt.io debugger works in both directions, you can inspect and verify tokens or create and sign tokens. When you first paste your token on the left side and then paste the secret or key into the field under 'verify signature' in the right column, the signature will be recreated and you should notice that it changed. In this case, the result is always 'signature verified', because the signature was just calculated based on the entered secret.

The correct way to verify a signature is to first paste the key into the secret key field and then paste the token to the left part of the debugger. Always make sure, that any other content in the input fields is overwritten. If your key is actually Base64 encoded (i.e. a binary secret that is stored in Base64 encoded form), you should tell jwt.io by checking the "secret base64 encoded" checkbox.

enter image description here

Then the result, either 'signature' verified' or 'invalid signature', will be correct.

Every secret that you enter after that causes a recalculation of the signature and then it's always verified (with the new secret). Also clicking on the "secret bas64 encoded" checkbox causes recalculation. enter image description here

But if you do it in the right order, a wrong secret causes an "invalid signature" result:

enter image description here

jps
  • 20,041
  • 15
  • 75
  • 79
0

While jps' answer is correct for symmetric keys (where the server and client both have the private key), if you're using asymmetric encryption (such as RSA, which is what SSL/TLS certs uses for HTTPS) and verifying the signature with the public key, jwt.io uses OIDC provider metadata to locate the public key. See a full description here: How does JWT.io already know my public key?

shloosh
  • 525
  • 7
  • 10