PyJWT returning invalid token signatures
That is indeed a valid token, if you go to jwt.io and paste that token and then update the secret used to verify it to be the same you used to generate the token then the tool will indicate that the signature is valid.
By default, jwt.io tries to validate the signature using the HS256 algorithm and the default secret of secret
. You're indeed creating a JWT using the HS256 algorithm so the only thing you need to do to check if it's valid is to update the secret input box to use TESTSECRET
.
Also, the signature component of JWT is raw binary data that may not display correctly if you try to decode it to text. For a bit more on how JWT's work you can check Get Started with JSON Web Tokens.
I guess with the latest version of PyJWT while decoding you need to use the algorithm.
I was facing the same issue. Solved it using the algorithm parameter. The PyJwt version I'm using is 2.0.1. Below is the sample code. Please try and let me know if it works.
payload = jwt.decode("YOUR_JWT_TOKEN","YOUR_SECRET_KEY", algorithms=["HS256"])
example_payload = {
'public_id': user.public_id,
'exp': datetime.datetime.utcnow()+datetime.timedelta(minutes=30)
}
For ENCODING use
token = jwt.encode(example_payload,app.config['SECRET_KEY'],algorithm="HS256")
For DECODING use
data = jwt.decode(token, app.config['SECRET_KEY'], algorithms=["HS256"])
basically just adding the ALGORITHM and ALGORITHMS=[] parts... otherwise it gave me error (token invalid for operations after the log-in), but this fixed it.
In Python3 you don't need the ".decode('UTF-8')" after "jwt.encode()": it does it for you.
Also check you don't have both jwt and PyJWT packages:
pip3 list
if you have both jwt and PyJWT installed then do:
pip3 uninstall jwt
pip3 uninstall PyJWT
pip3 install PyJWT
re-run your app