Hi! The signature makes sure that you know who sent it, but it can still (unfortunately) be decrypted. It cannot be modified, so the integrity is intact, but the confidentiality (assuming someone got a copy of it), would not be intact. JWTs are great for many things, but for sending sensitive information they are not a good choice.
Also, this post might provide a bit of context:
(summary: putting sensitive info in parameters is not a good idea) code.likeagirl.io/pushing-left-lik...
If that doesn't make sense let me know and I'll write more. :)
Thank you for reading.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Tanya and Bryan, great article!
With regards to:
The IETF has defined JSON Web Encryption (JWE), which is different from JSON Web Signing (JWS).
Am I wrong to believe that statement above is in reference to JWS?
What is the extent to which you have seen JWEs be used?
And would that be sufficient to protect sensitive data in JWT payloads?
Hi! The signature makes sure that you know who sent it, but it can still (unfortunately) be decrypted. It cannot be modified, so the integrity is intact, but the confidentiality (assuming someone got a copy of it), would not be intact. JWTs are great for many things, but for sending sensitive information they are not a good choice.
I have a blog post with a bit more info here, let me know if it helps: code.likeagirl.io/pushing-left-lik...
Also, this post might provide a bit of context:
(summary: putting sensitive info in parameters is not a good idea)
code.likeagirl.io/pushing-left-lik...
If that doesn't make sense let me know and I'll write more. :)
Thank you for reading.