Should I decode client side JWT?

Question

Should I decode client side JWT?

I am creating an Android application and plan to use Json Web Tokens (JWT) for authentication.

As soon as my server returns a response with the generated token, does it make sense to decode the token on the client side to read user information (aka payload), or should I use the token strictly as an authentication mechanism and make the second request user information?

thanks

+4

android authentication jwt json-web-token

javorosas Nov 06 '15 at 9:36

source share

1 answer

Mvdd · Accepted Answer · 2015-11-06T22:34:39+0000

Like most things, it depends. If you control the authorization server (i.e. your API that you are calling), I really do not see any problems reading the contents of the token on the client side.

If you call a third-party API and authenticate on a server that you do not control, I would not depend on the contents of the JWT token. A third party may decide to change the requirements in the token or even start encrypting the token.

Should I decode client side JWT?

More articles: