JSON Web Tokens - Don't add sensitive data

This mess of characters is a JWT or a JSON web token. Let's take a closer look at what it actually consists of. So, it's three parts separated by dots. Part one is the header, tells us the algorithm. Part two is the payload, which is your actual data. And part three is the signature, which proves it's legit. So, here's the kicker. The first two parts, they're just B 64 encoded, not encrypted. They're not secure. Anyone can read them. So, watch this. I'll take a real JWT and decode it right now. see your user ID, email, expiration time, it's all there. It's all readable. So, never put passwords or secrets in here. The signature is where the security happens. So, the server takes the header plus payload, runs it through HMAC with a secret key. Only the server knows. So, when you send the token back, the server recreates this signature. And if someone tampered with your payload, then the signatures won't match and the token gets rejected. And remember, JWTs aren't encrypted, they're just signed. So, don't put anything sensitive in the payload that you wouldn't want your users to see. You can use a new site that I just deployed at webutills. io IO to decode and mess around with JWTs.