Short secrets using HS256 blocks token generation #797

rtamarindo · 2025-03-28T19:18:27Z

rtamarindo
Mar 28, 2025

It doesn't generates a JWT when the secret is not compliant with the RFC for not having the minimum length for instance. So can not use jwt.io to debug an application with a non-compliant JWT secret because it simply doesn't generates the token.

I think it could only raise a warning instead of blocking it completely.

HenryzhaoH · 2025-04-01T02:19:11Z

HenryzhaoH
Apr 1, 2025

Totally agreed. Nobody will use jwt.io for production. As for debugging and testing purposes, setting these limitations for "security reason" is completely unnecessary and unwanted.
Further more, when using JWT Decoder with the same key and settings, it works as normal and not event raise a warning.

0 replies

utkusen · 2025-04-03T09:23:54Z

utkusen
Apr 3, 2025

this!

0 replies

combatsasality · 2025-04-12T14:28:32Z

combatsasality
Apr 12, 2025

up

0 replies

keithdanielll · 2025-04-14T15:16:26Z

keithdanielll
Apr 14, 2025

up !

0 replies

cTxplorer · 2025-04-16T09:42:02Z

cTxplorer
Apr 16, 2025

This feature rollout is being controlled via a cookie named ab-variant.

For the older UI, update the ab-variant cookie value to control. For new UI, either delete the cookie or set its value to variant.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Short secrets using HS256 blocks token generation #797

{{title}}

Replies: 5 comments

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Short secrets using HS256 blocks token generation #797

rtamarindo Mar 28, 2025

Replies: 5 comments

HenryzhaoH Apr 1, 2025

utkusen Apr 3, 2025

combatsasality Apr 12, 2025

keithdanielll Apr 14, 2025

cTxplorer Apr 16, 2025

rtamarindo
Mar 28, 2025

HenryzhaoH
Apr 1, 2025

utkusen
Apr 3, 2025

combatsasality
Apr 12, 2025

keithdanielll
Apr 14, 2025

cTxplorer
Apr 16, 2025