learn hapi — Encrypt the JWT Payload (The Simple Way)

All the previous JWT tutorials use a cryptographic signing to verify the token’s validity. Created tokens didn’t use any payload encryption. In case an attacker has access to a user’s JWT, they can seamlessly read the token payload.

Verifying JWTs ensures that the requesting user sends a valid token. The token signature is proof that the token wasn’t changed by a middleman with the reasonable compromise of not encrypting the payload.

Depending on your application and the token payload when creating (=signing) a new JWT, you may want to introduce payload encryption additionally to the JWT signing.

This tutorial walks you through a simple way of encrypting your custom claims before creating a JWT. Your custom claims represent every key-value pair (JWT claim) besides the registered claims from the JWT specification.

hapi Series Overview


Continue reading

University Enrollment Required

Future Students benefit from value packed videos and tutorials.

Enroll to receive exclusive content or sign in if you’re already a Future Student.

Enroll me for $15/mo

Explore the Library

Find interesting tutorials and solutions for your problems.