Robert Townley Robert Townley - 1 month ago 19
Python Question

PyJWT returning invalid token signatures

I'm using PyJWT==1.4.2 to generate tokens that I intend to use for Firebase authentication.

Unfortunately I'm not able to use any of the third-party Python Firebase libraries, and even if I could I had the same difficulty when I tried with FirebaseTokenGenerator.

Inside of my API, I have a function for generating a token for a username.

118 def generate_token(self, username):
119 payload = {
120 'something': 'Here',
121 }
122 secret = "TESTSECRET"
123 token = jwt.encode(
124 payload,
125 secret,
126 algorithm='HS256')
127 return token


An example of a token I get from this function is:


eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21ldGhpbmciOiJIZXJlIn0.fpIMSRJ3AAL30LIDwHJM9ZOumdRzS7yooiiUgMPms2Y



Unfortunately, this is not a valid token. Online resource such as https://jwt.io/ are telling me that the signature portion is invalid.

Not sure if this is further helpful info, but when I try decoding the token I get the following:

b'{"alg":"HS256","typ":"JWT"}{"something"[83 chars]\x88'


Any thoughts on what I might be doing wrong?

Answer

That is indeed a valid token, if you go to jwt.io and paste that token and then update the secret used to verify it to be the same you used to generate the token then the tool will indicate that the signature is valid.

By default, jwt.io tries to validate the signature using the HS256 algorithm and the default secret of secret. You're indeed creating a JWT using the HS256 algorithm so the only thing you need to do to check if it's valid is to update the secret input box to use TESTSECRET.

Also, the signature component of JWT is raw binary data that may not display correctly if you try to decode it to text. For a bit more on how JWT's work you can check Get Started with JSON Web Tokens.