JWT Verify client-side?

Question

I have a nodejs api with an angular frontend. The API is successfully using JWT with passport to secure it\'s endpoints.

I am now conscious that after the tokens have e

Answer 1

Answer 1: It is not considered to be a good approach to verify your auth token on the client side as it involves secret key while encoding/decoding it and keeping the secret key on the client side is not secure.

Creating Token

jwt.sign({ data: 'foobar' }, 'secret', { expiresIn: 60 * 60 });

Verifying Token

jwt.verify(token, 'secret', function(err, decoded) { console.log(decoded.foo) // bar });

Answer 2: JWT involves secretORPublic key while encoding and decoding token. It has to be declared or kept in the config file somewhere on the server side.

Explanation: Decoding means decoding from Base64, there's no secret key involved in that process. On the other hand, verifying a JWT would require a secret key because it would involve a cryptographic signature operation.

To sum up, decoding does not need the secret (remember decoding is just interpreting base64) and verifying/signing does require it