Nice explanation, thanks for sharing. Expressing as functions is a smart way to explain the workings of jwt.
I would like to ammend that sha256 is widely used with the presharedkey. Whether that's useful depends on the usecase. If you have to validate something from one of your own servers, or from public servers than public key encryption (rsa, ecc) is used a lot. Indeed to mitigate the problems or giving away the secret as you stated.
When an application needs to validate input from its users, like in an api, the use of a psk in the form of an api-key is widely used. That api key is very often used to seed the sha256 algorithm (to not have to send the key readable over the wire) and as a means to validate the sender (because of the trust given to the knowing of the presharedkey) . Can it be done with public key infrastructure? Sure, but you can't expect every api-user to register a domain and host a public key and register this uri with your application. B2B solutions might adhere to this approach more but I haven't seen such complexity much in the wild compared to aforementioned methods.
Nice explanation, thanks for sharing. Expressing as functions is a smart way to explain the workings of jwt.
I would like to ammend that sha256 is widely used with the presharedkey. Whether that's useful depends on the usecase. If you have to validate something from one of your own servers, or from public servers than public key encryption (rsa, ecc) is used a lot. Indeed to mitigate the problems or giving away the secret as you stated.
When an application needs to validate input from its users, like in an api, the use of a psk in the form of an api-key is widely used. That api key is very often used to seed the sha256 algorithm (to not have to send the key readable over the wire) and as a means to validate the sender (because of the trust given to the knowing of the presharedkey) . Can it be done with public key infrastructure? Sure, but you can't expect every api-user to register a domain and host a public key and register this uri with your application. B2B solutions might adhere to this approach more but I haven't seen such complexity much in the wild compared to aforementioned methods.
Hope it helps and thanks again.
It does, and also, thanks for such a detailed comment!