Reputation: 3797
How to handle JWT secret key when decoding tokens clientside?
I am using JWT tokens for authenticating users clientside.
On my server, I specify a secret key to encode the tokens.
On the client, I want to decode these tokens and verify that validity, but how can this be accomplished without exposing the secret to the client (I assume this is not allowed)
Upvotes: 0
Views: 1037
Answers (1)
Reputation: 16695
There are different types of keys:
- Asymmetric keys (or private/public key pairs)
- Symmetric keys (or shared keys)
If you use symmetric keys to sign or encrypt your JWT (on server side), these keys must by used to verify or decrypt the JWT on client side. If you use private/public key pairs, the signature or the decryption is performed using the private key; the verification or the encryption with the public key.
So if you want to decode these tokens and verify that validity ... without exposing the secret to the client, then you should consider the use of asymmetric keys.
Your JWT will be signed by the server using the private key and verified by the client with the public key.
Upvotes: 1
Related Questions
- How to safely store & process secret key for JWT
- Invalidating JSON Web Tokens
- JWT Private / Public Key Confusion
- Where to store JWT in browser? How to protect against CSRF?
- If you can decode JWT, how are they secure?
- DefaultJwtParser: how to merely decode the JWT? (no secret key, no validation)
- JWT (JSON Web Token) automatic prolongation of expiration
- How to check JWT integrity without secret key in PHP?
- How should I ethically approach user password storage for later plaintext retrieval?