0

I create a JWT token and if I go to the official site https://jwt.io/ and check its validity, then it shows that it is not valid.

Please tell me why it turns out that it is not valid?

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKYWNrIiwiaWF0IjoxNjYwMDY3NjQ0LCJleHAiOjE2NjAxNTQwNDR9.yUqKI1t2xKVlhALUw12ie3DcpnGyXelcd7J-0qJ1FPg

        public class GeneratorJwt {
            
            public static void main(String[] args)  {

                Map<String, Object> claims = new HashMap<>();

                SecretKey key = Keys.secretKeyFor(SignatureAlgorithm.HS256);

                String jwtTokenKey = Encoders.BASE64.encode(key.getEncoded());

                String s = Jwts.builder()
                        .setClaims(claims)
                        .setSubject("Jack")
                        .setIssuedAt(new Date(System.currentTimeMillis()))
                        .setExpiration(new Date((new Date()).getTime() + 86400000))
                        .signWith(SignatureAlgorithm.HS256, jwtTokenKey).compact();
                
                System.out.println(s);
            }
            
        }
Improve this question
4
  • 1
    How did you checked the JWT token on the external site? Specifically, what have you entered in the "your-256-bit-secret" field? Commented Aug 9, 2022 at 17:59
  • @Progman Yes, that's right. Commented Aug 9, 2022 at 18:03
  • 1
    A JWT token only verified with the public or the private key, Did you set any key for the verification on the jwt.io site? Commented Aug 9, 2022 at 18:14
  • @Zabihullah Alipour I created a token for a client based on its name. And this token is sent to the client. I saw this code here youtube.com/… Он также показывает, что код недействителен Commented Aug 9, 2022 at 18:25

1 Answer 1

Reset to default
2

You almost certainly should not use HS256, which is a symmetric algorithm, meaning you have to give the secret key to clients for them to be able to validate the JWT. See the JWT Best Practices article for this type of guidance.

Start with the most mainstream token signing algorithm of RS256 instead - here is some Java code of mine that uses it, via the highly respected jose4j library:

In jwt.io you can then paste in the token signing public key (JWK) to see the token validated. If you prefer, translate the same concepts to a different JWT library of your choice. See also this blog post of mine which uses the jwt.io website.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.