JWT Verify client-side?

Question

I have a nodejs api with an angular frontend. The API is successfully using JWT with passport to secure it\'s endpoints.

I am now conscious that after the tokens have e

Answer 1

I think verifying JWT token at client-side is not a good idea.
IMO;

1. Whenever a user logs in, generate access and refresh token and return to user something like this;

   { "accessToken": <> "refreshToken": <> "expiresAt": <> }

   So client can understand when access token expire and can refresh it with refresh token.

2. Encrypt the data that you put in the access token because there is a chance to access the data without secret key. But of course someone needs to secret key to verify.