I need to manage jwt secret keys individually for each user?

Question

I implemented jwt authentication using the jsonwebtoken module. But do I need to create and manage arbitrary secret keys for each user when generating and verifying jwt tokens? Is there a difference between managing secret keys separately for each user and generating and verifying jwt tokens with one secret key?

Answer 1

No, you use a single secret key to sign your tokens. This is because when the token comes back to you in a request, you need to be able to decode the token, and at this point you don’t know whether a genuine user is sending your token, because you haven’t verified it yet.

Use a single key to sign and verify your tokens, and remember to keep it safe.

Answer 2

No, you definitely don't need a key per user. A single key is enough for all users in most of situations.

If you want to, you can have a set of different keys and rotate them periodically to sign the tokens. In this situation, use the kid header claim to hold a key identifier and then use it to look up the right key to verify the token. See more details in this answer.

Answer 3

Is there a difference between managing secret keys separately for each user and generating and verifying jwt tokens with one secret key?

The short answer is no, as far as a JWT is concerned a key is a key.

The long answer is it depends. The purpose of the JWT secret is to ensure the integrity of the message, generally this is something you would do at issuer (server) level as a way of verifying the origin of the message. In layman's terms, if the server can verify the signature then it can trust the contents.

User-level secrets move the trust down a level in the sense that you don't care which server generated the message but rather which user did. In a typical authentication token scenario it's really more server trust you want.