Can you modify the header of a JWT token after it is created (after it is encrypted and signed)?

Question

I know that a JWT token contains a header section that is BASE64 encoded.

Scenario:

1. Decode the header
2. Change the value of one of the parameters present in header, like for example kid parameter
3. Encode the modified header
4. Replace the initial encoded header with the new encoded header in the JWT token

Questions

• Will the token still be valid?
• Or when it is initially signed, the header is also considered when creating the signature, thus if after that you modify the header, the token is considered invalid?

Answer 1

For a signed token (JWS), the signature is computed using the payload AND the header. If you alter the header or the payload then the signature part becomes invalid.

You can give it a try at https://jwt.io/

Please note there was a known attack that consisted into a modification of the signature algorithm to none and the signature itself allowing payload modification without warning for vulnerable libraries. Refer to this detailed article for more information.

Answer 2

Yes. You can try this site, if want to modify from an existing token: https://token.dev/

Answer 3

Someone can not change the header/payload unless has the secret key. if he/she has the secret key they can change the JWT token.

For instance, if you are using nestjs to register JwtModule you have to read the secret key from the config file to avoid revealing the secret key. as below

    JwtModule.register({
        secret: 'read this from config file',
        signOptions: {
            expiresIn: 60 * 1000
        }
    }),

For more information, you can watch this video