I'm in the auth space. It's usually best to verify JWTs using an asymmetric keypair, tha...

mooreds • yesterday at 4:03 PM • 1 reply • view on HN

I'm in the auth space.

It's usually best to verify JWTs using an asymmetric keypair, that way the BetterAuth node can sign the JWT, and your servers can use something like JWKS to get the public key.

Lessens where the secret key needs to be.

The exception is if:

* you control all the nodes and are confident in the security of all of them now and going forward AND * speed is critical (using HMAC to sign JWTs is faster) AND * you've benchmarked and signing speed is a significant portion of response time

Replies

mooreds • yesterday at 7:06 PM

   * you control all the nodes and are confident in the security of all of them now and going forward AND 
   * speed is critical (using HMAC to sign/verify JWTs is faster) AND 
   * you've benchmarked and signing speed is a significant portion of response time

alt Hacker News

Replies