I am experimenting with jwt , and while doing some research i fount this JWT DECODER i thought i would have to enter token and my secret key to decrypt the token .
But i was surprised see it only required token to decrypt it. What is the use of secret key if it can be decrypted without it. All user data in token will be open to anyone.
Am i missing something here ??
And my another question is how jwt helps to prevent MITM
Thanks
The token is signed and encoded (not encrypted), and so the original data can be derived without need for a key. The signature allows the token to be verified by anyone with the public key, but the signature itself can only be generated by the entity holding the private key.
As a result of these properties, any changes to the data can be detected, and we can reliably determine who issued the token. This prevents MITM-type because the MITM does not have access to the private key, and so cannot generate a signature for the token that will pass verification.