0

I just started to get familiar with JWT and one question popped up, how to decrypt JWT on the server side without knowing what secret is used? Let's say we protect REST API /user endpoint with JWT Token. The user generates a Token and passes using the header

Authorization: Bearer <token>

How we may know the user id to get his secret for JWT Token decryption?

Can we pass the User ID along with a token like this

Authorization: Bearer <token> <UserID>
Tomas
  • 17,551
  • 43
  • 152
  • 257
  • The headers and payloads of JWTs are not encrypted. If you need this information, you should be including it in the JWT payload (Base64-encoded). – esqew Nov 07 '22 at 14:41
  • @esqew Could you show how such a token would look like? – Tomas Nov 07 '22 at 14:51
  • @esqew I got it, the data is not encrypted in the payload in JWT, I can access it without a secret, the secret is needed only for signature verification, am I right? – Tomas Nov 07 '22 at 15:03
  • 1
    That's correct, and you can confirm this with helpful documentation from other sources like [JWT.io](https://jwt.io/introduction) – esqew Nov 07 '22 at 15:03
  • No a secret is not needed for signature verification when the JWT is RSA/ECDSA because the secret is a private key that is not shared therefore a public key has to be shared to do sig verify on each end, when the JWT is HMAC-based a shared-secret is needed for signature verification (but no confidentiality is gained). See this answer for better understand of each mode https://stackoverflow.com/questions/37972285/how-to-safely-store-process-secret-key-for-jwt/70054943#70054943 – Stof Nov 08 '22 at 01:26

0 Answers0