Index
ed
Search videos...
⌘
K
Search videos
Search across video titles, descriptions, and transcripts
JSON Web Tokens - Don't add sensitive data | Traversy Indexed
Back
JSON Web Tokens - Don't add sensitive data
Sep 7, 2025
intermediate
Quick Tip
Hide Transcript
0:00
This mess of characters is a JWT or a
0:03
JSON web token. Let's take a closer look
0:05
at what it actually consists of. So,
0:07
it's three parts separated by dots. Part
0:09
one is the header, tells us the
0:10
algorithm. Part two is the payload,
0:12
which is your actual data. And part
0:14
three is the signature, which proves
0:16
it's legit. So, here's the kicker. The
0:18
first two parts, they're just B 64
0:20
encoded, not encrypted. They're not
0:22
secure. Anyone can read them. So, watch
0:24
this. I'll take a real JWT and decode it
0:26
right now. see your user ID, email,
0:29
expiration time, it's all there. It's
0:31
all readable. So, never put passwords or
0:33
secrets in here. The signature is where
0:36
the security happens. So, the server
0:38
takes the header plus payload, runs it
0:40
through HMAC with a secret key. Only the
0:42
server knows. So, when you send the
0:44
token back, the server recreates this
0:47
signature. And if someone tampered with
0:49
your payload, then the signatures won't
0:51
match and the token gets rejected. And
0:53
remember, JWTs aren't encrypted, they're
0:56
just signed. So, don't put anything
0:57
sensitive in the payload that you
0:59
wouldn't want your users to see. You can
1:00
use a new site that I just deployed at
1:02
webutills.io IO to decode and mess
1:05
around with JWTs.
