PEM secret

[martunta]

Is there any example about PEM secret usage? I am not fully sure how to use it, but it feels like using just a simple string for secret would not be production ready solution. I might be wrong though, can you explain the difference, please?

[mikenicholson]

Check out the example usage for jsonwebtoken for how to read a key off the filesystem.

Whether you choose to use a string with HMAC or public/private key depends on your implementation needs. For example Google Sign-In for android uses a public/private key pair where they publish the public key so anyone can validate a JWT issued by google but only Google can issue them because only they have the private key. You can also check out this Stack Overflow post on the topic.

HMAC is not inherently flawed or not production ready. You can easily choose a long, random string much like a private key. It just doesn't provide the ability to issue a public key for 3rd party verification of a JWT.

Both options are valid production solutions, it really depends on your needs.

[MarvinXu]

@mikenicholson I was led here by NestJS doc which encourages me to use PEM:

secretOrKey: we are using the expedient option of supplying a symmetric secret for signing the token. Other options, such as a PEM-encoded public key, may be more appropriate for production apps (see here for more information).

But according to your answer,

HMAC is not inherently flawed or not production ready.

They(NestJS) seem to be wrong?