Why Sign JSON Web Tokens From A Password When We Can Use RSA or ECDSA?
Published in
3 min readJul 29, 2022
One of the most widely used token standards is JSON Web Tokens (JWT).
With this we have:
- A header. This defines the token type (such as JWT) and the signing method that we will use.
- A payload. This defines the main payload data, and is defined in a simple JSON format. This might include the user’s ID, their email address, and so on. The fields are flexible and can be created for any purpose.
- A signature. This is either a public key signature (with RSA or ECDSA) or an HMAC signature (and which uses a given hashing method and a secret password).
The registered claim names are:
- “iss” (Issuer). This identifies the issuer of the token.
- “sub” (Subject). This defines the subject of the token.
- “aud” (Audience). This defines the general audience for the token.
- “exp” (Expiration Time). This defines the time that the token will expire.
- “nbf” (Not Before). This defines the time that the token will start.