DEV Community

loading...

Discussion on: How to securely store JWT tokens.

Collapse
gkoniaris profile image
George Koniaris Author

Hi there,

Thank you for commenting!

The way you proposed to perform the signing and validation of the token is also valid but its not the only one. JWT tokens can be signed using HMAC where only a private key is used to sign and verify the token. This is used in most cases where only the backend needs to verify the token, and the frontend just needs to decode it (everyone can decode a jwt as its just a base64 representation of our data).

If you sign JWT tokens and you need your frontend to be able to verify that it was signed by a valid authority, you can use a private key to sign on the backend, and provide the public key to everyone to be able to verify the token.

Is this what you mean?

PS: This article assumes that we use the HMAC way to sign the tokens.

Collapse
maxymapp profile image
Maksym Kulikovskiy

That's perfect, thank you for clarifying the use case where HMAC shines.