"Signature verification raised", yet jwt.io says "Signature Verified"

[scottrobertson]

Hey

Having an odd issue that I cannot seem to replicate very easily.

token = "eyJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJfaWQiOjEsInZlcmlmaWVyIjoiM2ExZGNlODItN2YwNC00Mjk1LTljN2QtYzUzYmQ4OGVjNTI3In0sImV4cCI6MTYxMTYyMjMxOH0.7HYR9jAsNeOjQFGGbmUBNalOqmUeLRK9eMldMjGQo38"

secret = "c61a64edec22c03a25f3b984910ac2da216a2963a379f4eaf58abac06f6c975572690925e85a1c52721d388b3c2ab75698e67acc3ec483e23abb98a88b140fd7"

JWT.decode(token, secret, true, { algorithm: 'HS256' })

This throws a JWT::VerificationError (Signature verification raised)

However, if i head over to jwt.io, and type in those exact same values (try it, just copy them from above) it says "Signature Verified"

Any ideas what is wrong here?

[excpt]

Hey @scottrobertson

The given token is invalid.

When entering the token into jwt.io and passing the password the last part of the token changes. The website manipulates the pasted token. It is not clearly visible. You really need to look. It's confusing.

First you need to paste the password and then paste the token. This ensures that the token is validated and not created with the given password. Doing this in the described order will display the "Invalid Signature" message.

Please check with the issuer of the token. There is something wrong in the creation process.

[scottrobertson]

Ah that makes total sense then. What a confusing website ha. It will be an issue on my end, thank you.

[excpt]

Thanks for the fast response.

Have a great day.