JSON Web Tokens Gone Wrong

September 28, 2022

JSON Web Tokens Gone Wrong

By Itay Pahima, harmon.ie VP of R&D

Last week I was sitting at a café, just me and my laptop, when I noticed a delivery person “lock” up their bike before heading in to deliver someone’s lunch. It shouldn’t have bothered me, but it did. This delivery person took the time to remove the chain, wrap it around parts of the bike, twist the code into place and then turn the lock with that click of finality, but, THE BIKE WAS NOT LOCKED!

Now I knew that nobody was going to steal the bike, not on my watch, but this delivery person was nowhere to be seen and does this every day. Every single day they assume that their bike is secure from being stolen. Newsflash, when you only lock up the bike handle, or a single part of the bike, you may as well leave a sign on your bike that says, “take me!”

I have always found it so frustrating when I see someone lock up their bike the wrong way. I spend less time monitoring bike security and a lot more time on computer security and vulnerabilities. Which brings me to another subject that has been eating at me, JWTs. This past week I have been engaging in conversation about the merits of JWTs, and I have found that promising professional software engineers are missing the same memo as the delivery guy.

When asked to define a JWT, the response that I am hearing most often is that JWTs keep your information safe. JWTs authenticate information. JWTs are encrypted. If all of that was true, then I could sleep well at night. But. JWTs do none of the above.

Why do people get it wrong? What is a JWT?

JWTs are everywhere. There are three major elements of a JWT, but the part that is most relevant is the digital signature. It is a way to authorize that the data comes from you originally.

Imagine every person has a unique signature that is impossible to forge (unlike those times your parents“signed” when you were a student 😉😜). It is kind of like a fingerprint. Imagine there’s an easy way to check who really signed a document and the exact content that was included when it was signed (i.e. the payload.)

Now that we’ve covered the analogy, this is how it works. 

JWT uses to algorithm header from the token to run a simple calculation. For example, if the algorithm was HMAC SHA256 :


base64UrlEncode(header) + "." +


secret = [this is the actual signature])

If you run it and its results are the same in the 3rd part of the token (the signature part), the token is VALID🥳🥳 !

If not, 🧑🏻‍💻

Why do I care?

When you use JWTs with a false sense of security, it is risky. Engineers are building and coding into place major security holes with significant vulnerabilities without any idea how unsafe their architecture is. Using JWTs is a sort of permanent digital branding that is helpful in terms of identifying the originator or true owner. But it does not prevent exploitation.

So, what happened with the delivery guy?

I have no idea. I was debating stopping him to let him know, but maybe someone will read this and tell him. I hope nobody stole his bike.

What will happen with you and JWTs?

I hope that I have convinced you to use them for what they were intended for, to authorize and serve as a digital signature. Spread the memo, and use a tool with actual encryption if you need to keep data private.

Phew. Glad I got that off my chest.

About Author: Itay Pahima, VP of R&D

Itay brings broad experience with cutting edge technologies across an array of business scenarios, from native applications to high-scale cloud apps serving enterprise customers worldwide.

Itay is skilled in databases, full-stack development, web applications, front-end development and agile methodologies. He is a strong product management professional with a BS in Computer Software Engineering from Jerusalem College of Engineering.

© Copyright 2024 harmon.ie. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies