Hey Hi, I am new to this JWT. I got little confusion.
In the Above article it says public key will be used to encrypt and private key will used to decrypt.
But the Token Generation method is using a private key to generate and public key is getting used to validate the generated token.
As public key is a shared key(which we can share the key across all our vendors/client) what they will with that key ?? they cant create a token(if they wish to) as it is used for verification.
Flow Chart(My understanding)
Client -----Requesting for Access---->In return the Web API project will send a token ----> Client uses the token to access the API --> Web API Project will validate token and shares the data.
so in the above process why client should know the public key.
Can you please explain with a example in general using example as 1 Web API is getting access by multiple vendors/client ?
The idea behind using asymmetric encryption for a JWT token is that the API will generate and sign a token using the private API's key. The key for the public API might be known internally or by a CA. The client or other services then send the received JWT token to the API, which validates it with the public key.
This does not happen in typical circumstances (for example, while sending an email), because the API uses both keys. And not by the client and the API separately.
Thanks for pointing this out. The article has now been updated in order to make it easier to understand this topic.
your example code not agreed with the diagram above. You code signed with private key when user login successfully and return back to browser. and validated with public key after that. may I know the reason?
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hey Hi, I am new to this JWT. I got little confusion.
In the Above article it says public key will be used to encrypt and private key will used to decrypt.
But the Token Generation method is using a private key to generate and public key is getting used to validate the generated token.
As public key is a shared key(which we can share the key across all our vendors/client) what they will with that key ?? they cant create a token(if they wish to) as it is used for verification.
Flow Chart(My understanding)
Client -----Requesting for Access---->In return the Web API project will send a token ----> Client uses the token to access the API --> Web API Project will validate token and shares the data.
so in the above process why client should know the public key.
Can you please explain with a example in general using example as 1 Web API is getting access by multiple vendors/client ?
The idea behind using asymmetric encryption for a JWT token is that the API will generate and sign a token using the private API's key. The key for the public API might be known internally or by a CA. The client or other services then send the received JWT token to the API, which validates it with the public key.
This does not happen in typical circumstances (for example, while sending an email), because the API uses both keys. And not by the client and the API separately.
Thanks for pointing this out. The article has now been updated in order to make it easier to understand this topic.
your example code not agreed with the diagram above. You code signed with private key when user login successfully and return back to browser. and validated with public key after that. may I know the reason?