DEV Community

Discussion on: Threat Modelling Serverless

shehackspurple profile image
Tanya Janca Author

Hi! The signature makes sure that you know who sent it, but it can still (unfortunately) be decrypted. It cannot be modified, so the integrity is intact, but the confidentiality (assuming someone got a copy of it), would not be intact. JWTs are great for many things, but for sending sensitive information they are not a good choice.

I have a blog post with a bit more info here, let me know if it helps:

Also, this post might provide a bit of context:
(summary: putting sensitive info in parameters is not a good idea)

If that doesn't make sense let me know and I'll write more. :)

Thank you for reading.