re: Be careful of the JWT hype train VIEW POST


Can you tell me again, why we need JWT encryption?

First of all JWT is not encryption. It is authentication and authorization.

I can't tell you why you need JWT because I do not know anything about your application. But I can tell you why I am using it.

The environment I am working in consists of multiple disconnected systems, each maintained by different departments. JWT allows us to to create an authentication service that is disconnected and also works across multiple systems.

Ok, here is the key and it is unique, if it is stolen, then you are screwed. I will crc your key (and encrypt the crc) just for security.

This is a complete misunderstanding of JWT and realky has nothing to do with JWT.

Encryption (checking the token contents against the signature) works to ensure that everything in your JWT token is valid and hasn't been altered. So it's public, but you can trust it.

That’s not encryption, that’s just signing. The data in a JWT is base64-url encoded, but otherwise easily readable.

There is a standard for JWT encryption, but that’s a whole extra level of pain.

code of conduct - report abuse