I'm not getting your comment. The payload is not encrypted. I think you refer to... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

FlorianRappl on May 26, 2022 | parent | context | favorite | on: Learnings from 5 years of tech startup code audits

I'm not getting your comment. The payload is not encrypted. I think you refer to the signature. The payload can always be decoded. It's just JSON into base64.

samhw on May 27, 2022 [–]

Ah, sorry, that was what I was referring to when I said "Presumably you weren't using it to sign the tokens, if they were surprised the client could access them?". I classed that as too obvious for it to be what you meant.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact