Looking Inside a JSON Web Token

In the previous lesson, we looked at how to use the flask_extended_jwt Python package to create tokens and how to use those tokens to communicate with the Flask API.

Structure of an access token

The tokens themselves were inscrutable sequences of characters, such as:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

What does this mean? Is this just the username information encrypted? This access token looks encrypted because it’s a jumble of symbols, but it’s not. Rather, it’s just encoded, meaning that it can be decoded without requiring a secret key.

Decoding the token

The JWT website provides a debugger tool for checking the access token. We paste the string there and see what it says. It pulls out the header, the payload, and the signature. However, it’s unable to verify the signature until we enter the secret with which the token was signed.

Note: The JWT site is safe to use since the computation happens in your own browser, and no information is actually sent to the server.

In the above example, the secret key is the value stored in app.config['JWT_SECRET_KEY'] when the create_access_token method was called. Once this secret is entered into the website, the signature is verified.