Closed himanshutecstub closed 1 year ago
You COULD encrypt the data before adding it to the token. BUT you SHOULD NOT. Please do not!
Data inside a JSON WEB TOKEN is NOT meant to be secure! You MUST expect that any data you set in the JWT payload COULD be read by anybody who gets the token_.
The JWT is meant to be signed - you can be sure the payload is "real" and not changed by an attacker if the signature is valid of curse.
I dont know what you wanna put into the payload but there is for sure another way to solve your problem.
There is a standard for encrypted JWT / JOSE called JWE. I think this library does not support it. If you are just looking for encrypted and signed tokens you could check Paseto, Branca or Fernet as an alternative.
But still: please do not use encrypted sensitive data in a JSON WEB TOKEN, even if with encrypted payload.
You do put f.e. a user_id into the token. An app receiving the token then can validate that this user_id has not been modified (signature valid). The app now can read|request sensitive data if needed. But could put a user_email encrypted into the JWT. But you do not put something sensitive like a user_password (encrypted or not) into the JWT payload. I did not found a better example atm
sensitive ~= relative ... depends. As long i dont know what OP wants to add to his JWT payload i say: NO
Hello, I want create JWT token with public key & private key it's working OK. But i can decrypt that key without passing key. So what can i do for security (any data in token not decrypted without key) Try with
HS256
&RS256
both algorithm method but every token decrypt easily.