clarkk clarkk - 11 months ago 144
Node.js Question

decode jwt token - is it secure?

Have setup a test server with express, and a token-based authentication with jwt

Have looked at this tutorial

On the server-side the tutorial logs the decoded token

console.log(, 'connected');

But when I try to log
the variable is undefined..
doesn't contain any variables with the decoded token

So.. I tried to google how to decode the token and found this page

I pasted the public token and the script decoded the token without the jwtSecret!? Hmmm... And then I'm thinking.. How can it be secure if the script can decode the token without the secret!?

The public token which is returned to the client as authentication


dc5 dc5
Answer Source

The token is not encrypted, just encoded.

The signature, built with your secret, is the important bit and ensures that the token hasn't been tampered with.

Here's a decent (and short) writeup that explains that in a bit more detail