Why JWT Token signing key is required

Question

JWT tokens required signing key to decode them, but in https://jwt.io/ it can be decoded without any signing key, how is this possible.

No, the signing key is not required to decode, but it is required to verify the signature. And your services must not ever use a jwt without verifying its signature. — luk2302, Jan 11 '21 at 15:10
related: https://stackoverflow.com/questions/27301557/if-you-can-decode-jwt-how-are-they-secure?rq=1 — jps, Jan 11 '21 at 15:14
the key is used to sign the token or to verify the signature of an existing token. The header and payload can easily be decoded, they're just Base64Url encoded. — jps, Jan 11 '21 at 15:15
Some nitpicking: the "T" in JWT stands for "token", so writing JWT token is redundant. — Henry, Jan 11 '21 at 15:16
Notice that "verify signature" block in jwt.io - that's where your signing key comes into play. — Gimby, Jan 11 '21 at 16:48

score 1 · Answer 1 · edited Jan 13 '21 at 09:13

You do not need a key to open the encoding, you need a key to verify that nobody changed the contents of the JWT. In fact the string you see is just json's base64 with your information, metadata, and "signature" on all content.

The signature is the most important part of a JSON Web Token(JWT). A signature is calculated by encoding the header and payload using Base64url Encoding and concatenating them with a period separator. Which is then given to the cryptographic algorithm.

// signature algorithm
data = base64urlEncode( header ) + “.” + base64urlEncode( payload )
signature = HMAC-SHA256( data, secret_salt )

So when the header or payload changes, the signature has to calculated again. Only the Identity Provider(IdP) has the private key to calculate the signature which prevents the tampering of token.

Why JWT Token signing key is required

1 Answers1