how can https://jwt.io/ decrypt jwt token without knowing the secretKey

Question

this is a simple function to create jwt token based on id

 createAccessToken(id: string) {
 const token = sign({ id }, process.env.JWT_SECRET, { expiresIn: '1d' });
 return token;
    }

now when I give the token to https://jwt.io/ without specifing the secretkey the website can still decrypt it

how can this be possible?

Manfred · Accepted Answer · 2023-01-02T15:59:39.917

1

JWTs are not encrypted, but basically just base64 encoded, cf. RFC 7519. As you can see on https://jwt.io/, you need to provide the secret key if you want to verify the signature.

edited Jan 02 '23 at 15:59

answered Jan 02 '23 at 15:49

Manfred

2,269
1
5
14

how can https://jwt.io/ decrypt jwt token without knowing the secretKey

1 Answers1