JWT gets decoded easily on its site

Question

I am working with JWT api , i have generated a token using:

public void addAuthentication(HttpServletResponse response, String name) {
    // We generate a token now.
    String JWT = Jwts.builder()
            .setSubject(name)
            .signWith(SignatureAlgorithm.HS512, secret)
            .compact();
    response.addHeader(headerString, tokenPrefix + " " + JWT);
}

abd secret token prefix being string , however it does generate token, but when i copy it into

https://jwt.io/#debugger

It does undecode it and reveal all informations stored inside it , did i do something wrong or its as it should be? This does not seem secure at all.

Thanks for answers

Answer 1

This is secure at all. Don't worry about it. Just store your key in a secure way. The remarkable point is decoded information can not be changed or token can not be generated without the key.

Avoid storing essential information in token like credit card number or password etc. I'm sure that you are not using the JWT for this purpose.

If you want to hide the payload, the JWT specification allows use encryption (see Json Web Encryption-JWE at RFC). If auth0 does not support it, you have a lot of libraries listed in jwt.io

Check this topics

• Is JWT that secure?
• Why are JWT's secure?

Answer 2

It's secure in the sense it tells you who the user is and what claims they have. You can verify that the user's identity and claims are valid by checking the JWTs signature.

Also, see this: https://stackoverflow.com/a/38459231/2115684

If you want to hide the payload, the JWT specification allows use encryption (see Json Web Encryption-JWE at RFC). If auth0 does not support it, you have a lot of libraries listed in jwt.io