Public vs private key for JWT verification?

Question

Im using JWTs with Auth0. Im verifying the token with the public key (pemCert).

However I've seen examples where the token is decoded in other ways eg with a private key. Is using the public key equally secure as other methods?

const jwt = require('jsonwebtoken');

function authoriseToken(req, res, next) {
  const token = req.headers.authorization;
  const pemCert = process.env.JWT_PEM;

  // If there is no token the user is not logged in
  if (!token || token.length === 0) {
    next();
    return;
  }

  const tokenCrop = token.replace('Bearer ', '');

  jwt.verify(
    tokenCrop,
    pemCert,
    { algorithm: 'RS256' },
    (err, decodedToken) => {
    if (err) {
      // If the token isn't verified eg expired then forward as if no token
      next();
    } else if (decodedToken) {
      // If the token is verified then add fields to the res
      req.authId = decodedToken.sub
      next();
    }
  },
);
}

Are you talking about the usual Signed Jwt (Header. payload. signature) or encrypted tokens (JWE)? — jps, Jul 02 '18 at 18:19
The usual signed JWTs. The tokens are for authentication but don't contain any sensitive information (apart from the users email address) — Evanss, Jul 03 '18 at 08:37
Please be careful with the terms encoded/decoded vs. encrypted/decrypted. For decoding you don't need a key. Usually the signature is created using the private key and validated using the public key. Maybe these answers [here](https://stackoverflow.com/questions/46999844/jwt-public-key-vs-private-key-signature-validation-what-is-the-difference) and [here](https://stackoverflow.com/questions/38588319/understanding-rsa-signing-for-jwt) are helpful. — jps, Jul 03 '18 at 21:44

Public vs private key for JWT verification?

0 Answers0