0

when I need to make an authentication using JWT with a Symmetric key, is it required to share the secret key with the client? I mean why? I can just send the jwt to the client, and the client doesn't need to verify it as I understood, but only the server can verify it when the user make a request with JWT?... am I correct?

because I have created an authentication system by Sanctum before and connected it with Flutter (client), an I didn't notice any verification required from the clint side or any public key. only secret key

Osama Mohammed
  • 2,433
  • 13
  • 29
  • 61
  • I'm not aware about a JWT with symmetric key. May you link the RFC standard? – Christian Vincenzo Traina Nov 18 '22 at 09:12
  • "he doesn't need to verify it as I understood, but only in the server" what's "he"? And why do you distinguish it from the server? Will he manually verify the tokens? – Christian Vincenzo Traina Nov 18 '22 at 09:12
  • I made some edits to be more clear, I meant by he is the client because I am talking from the backend developer perspective – Osama Mohammed Nov 18 '22 at 09:16
  • my question is in general, for a normal authentication system using JWT, for example with Sanctum or Passport – Osama Mohammed Nov 18 '22 at 09:17
  • Does this answer your question? [JWT Keys - Asymmetric and Symmetric](https://stackoverflow.com/questions/32900998/jwt-keys-asymmetric-and-symmetric) – Ken Lee Nov 18 '22 at 09:18
  • actually no, because I am talking only about authentication, and I have created an authentication system by Sanctum before and connected it with Flutter (client), an I didn't notice any verification required from the clint side or any public key. only secret key – Osama Mohammed Nov 18 '22 at 09:21
  • 1
    @ChristianVincenzoTraina *JWT with symmetric key. May you link the RFC standard?* - "HSxxx" algorithms: https://www.rfc-editor.org/rfc/rfc7518#section-3.2 – jps Nov 18 '22 at 09:25

0 Answers0