How to retrieve the actual JWT secret and valid JWT tokens?

[gusfune]

Hi,
I am trying to connect PayloadCMS with a separate system that decodes JWT and can also use that for RBAC, but, I am having problem with my generated JWT after login.

After I login an user programmatically, the generated JWT is valid for PayloadCMS, but invalid for external systems. For example, if I test it at https://jwt.io/ is shows as invalid.

Also, to connect to an external system, I'd need the actual secret key generated/hashed, as responded here to seamless integrate the system and decode the JWT.

Any suggestions on how to do that?

Here is an example JWT that is generated by going to http://localhost:3000/api/users/login:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImhlbGxvQHdvcmxkLmNvbSIsImlkIjoiNjQ0YWI4YjU5MGZmODFhNGNiOWJkMTlmIiwiY29sbGVjdGlvbiI6InVzZXJzIiwiaWF0IjoxNjgyNjE4NTU3LCJleHAiOjE2ODI2MjU3NTd9.BKGq3niekGKnwuItyK4JmIcF4vKaK5ARstAw10F1zcQ

https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImhlbGxvQHdvcmxkLmNvbSIsImlkIjoiNjQ0YWI4YjU5MGZmODFhNGNiOWJkMTlmIiwiY29sbGVjdGlvbiI6InVzZXJzIiwiaWF0IjoxNjgyNjE4NTU3LCJleHAiOjE2ODI2MjU3NTd9.BKGq3niekGKnwuItyK4JmIcF4vKaK5ARstAw10F1zcQ

[dunganh21]

PayloadCMS hashes the JWT secret using SHA-256, truncates it to 32 characters, and uses that for signing. To decode the JWT externally, you need to hash your secret the same way. Here's how

import { jwtVerify } from "jose";
import crypto from "crypto";

const testDecodeJwt = async (token: string, secret: string) => {
  const newSecret = crypto
    .createHash("sha256")
    .update(secret)
    .digest("hex")
    .slice(0, 32);
  const secretKey = new TextEncoder().encode(newSecret);
  const { payload: decodedPayload } = await jwtVerify(token, secretKey);
  console.log(decodedPayload);
};

In case you still need it