The idea behind using asymmetric encryption for a JWT token is that the API will generate and sign a token using the private API's key. The key for the public API might be known internally or by a CA. The client or other services then send the received JWT token to the API, which validates it with the public key.
This does not happen in typical circumstances (for example, while sending an email), because the API uses both keys. And not by the client and the API separately.
Thanks for pointing this out. The article has now been updated in order to make it easier to understand this topic.
your example code not agreed with the diagram above. You code signed with private key when user login successfully and return back to browser. and validated with public key after that. may I know the reason?
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
The idea behind using asymmetric encryption for a JWT token is that the API will generate and sign a token using the private API's key. The key for the public API might be known internally or by a CA. The client or other services then send the received JWT token to the API, which validates it with the public key.
This does not happen in typical circumstances (for example, while sending an email), because the API uses both keys. And not by the client and the API separately.
Thanks for pointing this out. The article has now been updated in order to make it easier to understand this topic.
your example code not agreed with the diagram above. You code signed with private key when user login successfully and return back to browser. and validated with public key after that. may I know the reason?