Menu
I want to ask something, while using asymmetric encryption, we encrypt the data using client's public key, so the client can decrypt the data using their private key right?
I just found tutorials for signing JWT using RSA, but I found they encrypt the data using the server private key instead of client's public key, and the server's public key shared among clients.
Is it even safe? Because if the public key is fall to the wrong hands because it's shareable, everyone can decrypt it right?
so, is it okay to sign the jwt like that?
references: tutorial1 tutorial2
823
asked Oct 25 '25 22:10
so the client can decrypt the data using their private key right?
Yes, in case of encrypting data this is the normal way.
But in case of JWTs it's not about encrypting something that only the receiver is supposed to decrypt, but about signing a token.
The goal is, that only one instance, e.g. the authentication server or generally the token issuer, can sign the token, but everyone can verify the signature with the public key.
Because if the public key is fall to the wrong hands because it's shareable, everyone can decrypt it right?
The public key can't fall into the wrong hands, because it is public. So per definition everyone is allowed to see it.
The contents of the token (i.e. the payload) is not encrypted, but just base64url encoded and can be read by everone, e.g on https://jwt.io.
so, is it okay to sign the jwt like that?
yes
115
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
