volodymyrss
commented
3 years ago Yes, in a given platform deployment, one secret can be used for specific communication channel. we could also use it both for API and frontend since they work in the same way.
Technically token is not encoded with secret, it is signed. Token itself is encoded with base64 - you can also just decode it with bas64 module. Or you can decode it with pyjwt and not verify. at least as an option - also for tests.
Does this imply that the same secret will be used for the encoding of the token across all users?
And, taking a look at the configuration of the frontend (here) the secret can be stored within the DB