Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JWT with RSA public and private key

Tags:

security

rsa

jwt

I don't understand why I should use the public key in signing JWT. The private key is there so that the JWT token cannot be forged, yes? But why additionally sign it with a public key? Are there any benefits? Because I don't understand it at all. After all, a JWT signed with a private key can be read without the public key. What is this public key for?

like image 496
Szyszka947 Avatar asked Oct 20 '25 04:10

Szyszka947


1 Answers

Signing a JWT means you take the cleartext, signing it with a key - either the private key from an RSA pair or a symmetric key, then add the signature to the JWT. The JWT itself is still readable without decrtypting the signature. But someone with the key can decrypt the signature and confirm the contents match the cleartext.

The advantage of using RSA over symmetric key is that anyone can verify the signature without them having to have a secret key. You can either pass the public key to the JWT recipient over a side channel, or if using OAuth2 it provides a URL to access public keys.

You would use the public key for encrypting, not signing. You encrypt with the recipient's public key so that only the recipient can decrypt it.

like image 128
mbakereth Avatar answered Oct 21 '25 23:10

mbakereth