Creating a JWT takes a key or other secret as a parameter, and the resulting tok... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Retr0id on March 30, 2024 \| parent \| context \| favorite \| on: Ask HN: How to secure website for public launch Creating a JWT takes a key or other secret as a parameter, and the resulting token is not superficially human-readable, so it's plausible that a developer might mistake it for encryption based on the high-level "shape" of the API.

mrkeen on March 30, 2024 [–]

Yep. A few years ago I used my credentials in some in-house back-office app that a coworker wrote. Later I was able to see my http calls in the company-wide logging system, with my username and password 'hidden' in a jwt.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact