View parent Full Discussion (7 Best Practices for JSON Web Tokens)

The issue is with just using RSA encryption without signing/hmac. Encryption is done using the public key, which means anyone with that public key could then create a valid token.

Thank you for the clarification!

code of conduct - report abuse