What should be the “Secret” in JWT?

Question

I am going to apply JWT into my REST API developed using Java-Jersey. I am using this library for JWT - https://github.com/auth0/java-jwt

I have few questions about the

Answer 1

JWT and the java-jwt library support both symmetric and asymmetric algorithms for the signature:

• If you go for symmetric algorithms such as HS256, you will have only a single key to be used to sign and verify the signature.

• If you consider asymmetric algorithms such as RS256, you will have a private and a public key. Keep the private key safe on the server and use it to sign the token. Use the public key to verify the signature (it also can be shared with whoever needs to verify the signature).

Never ever share the key used to sign the token!

And nothing stops you from having a set of different keys for signing your tokens. In this situation, the kid header parameter can be used to indicate which key was used to sign the token. This claim is supposed to carry a key identifier and not the key itself.

Refer to this answer for more details on the kid claim.