All labs
Lab 47
Secure Architecture

JWT — Decoded & Tampered

A real header.payload.signature token, decoded into its claims. Edit role from patient to admin and the signature check fails; let it expire and it's rejected. See exactly why a JWT must be validated, not trusted.

Here's a real-shaped JWT. Edit the claims like an attacker would, then validate it — and watch the signature check catch the tampering.
Encoded token (what's sent on every request)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMDAxIiwicm9sZSI6InBhdGllbnQiLCJpc3MiOiJob3NwaXRhbC1pZHAiLCJleHAiOiIyMDI2LTEyLTMxIn0.K7n2_qY8xR1vQ3
■ header■ payload (you're editing this)■ signature (fixed — needs the secret to change)
Decoded payload
{
"sub": "1001",
"role": "patient",
"iss": "hospital-idp",
"exp": "2026-12-31"
}
tamper:
What just happened