How is angular-jwt decoding my JWT without a secret?

Question

The Auth0 team created something called \"angular-jwt\" which has a jwtHelper class. This thing successfully decodes a local JWT without the secret I used on the server. How d

Answer 1

A JWT uses encoding, not encryption. The data that the token contains is not a secret, anyone can decode it and view. What the server does, is it signs the token using a secret (in your case, config.secret), which effectively makes it impossible to modify the token without knowing the secret. Hence, only the server will be able to change the contents of the token, but anyone can read it.