0

When I go to https://jwt.io/ I'm able to decode my token without any secret. I just paste the token and it'll be decoded.

But when I go to my code and try to decode it without a secret, I'll get the following error:

jwt.exceptions.InvalidSignatureError: Signature verification failed

This is my code:

import jwt

token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXNzYWdlIjoidGhpcyBpcyBhIHNlY3JldCBtZXNzYWdlIiwiaWF0IjoxNjc4MjE1ODY1fQ.jrNYdkoNau5H20CGXlHK5nASGxY7xLD8LF6zxt-thLY'

decoded = jwt.decode(token, verify_signature=False, algorithms=['HS256'])

print(decoded)

By the way, this like will work just fine

decoded = jwt.decode(token, 'secret', verify_signature=False, algorithms=['HS256'])

And this will also fail

decoded = jwt.decode(token, 'secret', verify=False, algorithms=['HS256'])

Is there a way to decode it without the secret like in https://jwt.io?

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
Brito
  • 67
  • 1
  • 14
  • 1
    What do you think happens if you ignore the _validation_ part of the JWT process, and just assume that whatever the user happened to put in the payload is the truth? – jonrsharpe Mar 07 '23 at 19:22
  • 1
    Did you try `jwt.decode( token, options={'verify_signature': False} )`, as the documentation suggests? – Tim Roberts Mar 07 '23 at 19:23
  • You can split a JWT by `.`, take the second part, the payload, and decode it with base64url. But doing this means that the JWT can be modified by the user. – Nick ODell Mar 07 '23 at 19:24
  • Does this answer your question? [Getting only decoded payload from JWT in python](https://stackoverflow.com/questions/59425161/getting-only-decoded-payload-from-jwt-in-python) – jps Mar 07 '23 at 19:34

0 Answers0