The Solution is shared considering


JavaScript Object Signing and Encryption (JOSE) is a framework specifying ways to securely transmit information on the internet. It’s most well-known for JSON Web Tokens (JWTs), which are used to authorise yourself on a website or application. JWTs typically do this by storing your “login session” in your browser after you have authenticated yourself by entering your username and password. In other words, the website gives you a JWT that contains your user ID, and can be presented to the site to prove who you are without logging in again. JWTs look like this:


You can recognise it because it’s base64-encoded data split into three parts (separated by a .): the header, the payload, and the signature. In fact, it’s a variant of base64 encoding, where the + and / have been replaced by different special characters since they can cause issues in URLs.

Some developers believe that the JWT encoding is like encryption, so they put sensitive data inside the tokens. To prove them wrong, decode the JWT above to find the flag. There are online tools to do this quickly, but working with Python’s PyJWT library will prepare you best for future challenges.


  1. Install Python’s PyJWT library

    pip install pyjwt
  2. Decode the given token to get flag

    >>> import jwt
    >>> token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmbGFnIjoiY3J5cHRve2p3dF9jb250ZW50c19jYW5fYmVfZWFzaWx5X3ZpZXdlZH0iLCJ1c2VyIjoiQ3J5cHRvIE1jSGFjayIsImV4cCI6MjAwNTAzMzQ5M30.shKSmZfgGVvd2OSB2CGezzJ3N6WAULo3w9zCl_T47KQ"
    >>> jwt.decode(token, options={"verify_signature": False})
    {'flag': 'crypto{jwt_contents_can_be_easily_viewed}', 'user': 'Crypto McHack', 'exp': 2005033493}

FLAG := crypto{jwt_contents_can_be_easily_viewed}