PyJWT returning invalid token signatures

Question

I'm using PyJWT==1.4.2 to generate tokens that I intend to use for Firebase authentication.

Unfortunately I'm not able to use any of the third-party Python Firebase libraries, and even if I could I had the same difficulty when I tried with FirebaseTokenGenerator.

Inside of my API, I have a function for generating a token for a username.

118     def generate_token(self, username):
119         payload = {
120             'something': 'Here',
121         }   
122         secret = "TESTSECRET"
123         token = jwt.encode(
124             payload,
125             secret,
126             algorithm='HS256')
127         return token

An example of a token I get from this function is:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21ldGhpbmciOiJIZXJlIn0.fpIMSRJ3AAL30LIDwHJM9ZOumdRzS7yooiiUgMPms2Y

Unfortunately, this is not a valid token. Online resource such as https://jwt.io/ are telling me that the signature portion is invalid.

Not sure if this is further helpful info, but when I try decoding the token I get the following:

b'{"alg":"HS256","typ":"JWT"}{"something"[83 chars]\x88'

Any thoughts on what I might be doing wrong?

Answer 1

That is indeed a valid token, if you go to jwt.io and paste that token and then update the secret used to verify it to be the same you used to generate the token then the tool will indicate that the signature is valid.

By default, jwt.io tries to validate the signature using the HS256 algorithm and the default secret of secret. You're indeed creating a JWT using the HS256 algorithm so the only thing you need to do to check if it's valid is to update the secret input box to use TESTSECRET.

Also, the signature component of JWT is raw binary data that may not display correctly if you try to decode it to text. For a bit more on how JWT's work you can check Get Started with JSON Web Tokens.