Discussion on: Authorization and Authentication For Everyone

kimmaida profile image
Kim Maida Author

Hello, thanks for your questions!

1) Yes, the client app must have access to the decryption key in order to validate the signature; otherwise, it won't be able to decrypt the signature to see its contents. If asymmetric key cryptography is being used, then it will be a public key; if symmetric, there is only one key, and that same key must be kept private on both the client and authorization server (not recommended).

2) No, the client does not need to communicate with the auth server during validation. It should already have the key, and everything else it needs to perform validation is contained within the JWT itself.

It's strongly recommended that you not implement validation manually, but rather, that you use an SDK or library. If you'd like to learn a lot more about this, I also wrote Signing and Validating JSON Web Tokens (JWT) for Everyone.