Creating a full-stack MERN app using JWT authentication: Part 1
at blog.logrocket.com▼1 up and 2 down, posted by
tracker1 2291 days ago. link 2 points ▲ ▼OMFG!!! Do *NOT* put passwords or any secrets in your claims... the JWT itself is *NOT* encrypted/secure, the payload is only base64 encoded, the signature only confirms authority.
JSON.parse(atob(YOUR_TOKEN.split('.')[1]))
This is a *REALLY* bad example.
Things you should put in your claims... * token id * real name * account id * email address * user's roles/groups example, here's a claims section from a devauth application I wrote. { jti: "GENERATED_UUID_FOR_THIS_TOKEN" iss: "https://AUTHENTICATION_SERVER/" aud: "https://APP_SERVER/", iat: 1564526297, // Issued, seconds since unix epoch UTC exp: 1564569497 // Expires, seconds from unix epoch UTC sub: "USER_ID", eml: "EMAIL_ADDRESS", fnm: "FIRST", lnm: "LAST", aff: ["AFFILIATION",...] rol: ["ADMIN",...] }