All geek questions in one place

What should be the "secret" in the JWT?

I am going to apply JWT in my REST API developed using Java-Jersey. I use this library for JWT - https://github.com/auth0/java-jwt

I have few questions about JWT-Secret

  • Should this Secretbe unique?
  • Should I use a hashed version of the user's password for privacy? (In any case, this is not unique). This is because when a user changes his password, his token will be automatically invalid.
+4
source share
3 answers
  • Should this Secretbe unique?

— , ? . , (, , , ).

  1. ?

, :

  • , , GoPackers123. , - , , ; , , , , - . , , .
  • , . , .
+6

JWT java-jwt , :

  • , HS256, , .

  • , RS256, . . ( , ).

, !

. kid , . , , .

kid..

+4

RSA256, .. / ( "" ). , ( ), , , .

You can provide the public key to anyone or any service that needs to verify the validity of the token signature.

+3
source

Source: https://habr.com/ru/post/1672426/

More articles:


All Articles