Is it possible to create JWT tokens without signature?
We have a case where we would not need the signature, but all the rest of the token would be needed. So is it possible to create the JWT token without the signature?
Based on the documentation, you create the token by:
var token = jwt.sign
mand, so it kind of implies that the secret is pulsory.
Is it possible to create JWT tokens without signature?
We have a case where we would not need the signature, but all the rest of the token would be needed. So is it possible to create the JWT token without the signature?
Based on the documentation, you create the token by:
var token = jwt.sign
mand, so it kind of implies that the secret is pulsory.
Share Improve this question asked Aug 18, 2016 at 10:07 Ville Miekk-ojaVille Miekk-oja 21k34 gold badges78 silver badges116 bronze badges1 Answer
Reset to default 11According to RFC 7519:
To support use cases in which the JWT content is secured by a means other than a signature and/or encryption contained within the JWT (such as a signature on a data structure containing the JWT), JWTs MAY also be created without a signature or encryption. An Unsecured JWT is a JWS using the "alg" Header Parameter value "none" and with the empty string for its JWS Signature value, as defined in the JWA specification [JWA]; it is an Unsecured JWS with the JWT Claims Set as its JWS Payload.
Since you didn't mention which library you're using, I suppose you are using the one from auth0. Although I haven't tested it yet, it seems that setting algorithm to none, causes "No digital signature or MAC value":
var token = jwt.sign({ foo: 'bar' }, cert, { algorithm: 'none'});