If you can decode JWT, how are they secure?

Technology CommunityCategory: Web SecurityIf you can decode JWT, how are they secure?
VietMX Staff asked 3 years ago

The short answer is that JWT doesn’t concern itself with encryption. It cares about validation. That is to say, it can always get the answer for “Have the contents of this token manipulated”? This means user manipulation of the JWT token is futile because the server will know and disregard the token.

JWT isn’t meant to store sensitive data. Once the server receives the JWT token and validates it, it is free to lookup the user ID in its own database for additional information for that user (like permissions, postal address, etc). This keeps JWT small in size and avoids inadvertent information leakage because everyone knows not to keep sensitive data in JWT.