Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>Then there's people just shooting themselves in the foot and not actually signing them and just trusting them without any crypto signatures.

You would be surprised, a very short time ago I saw a (pretty large/common) web FinTech service provider that included the private key to verify the signature encoded within the JWT. It was SHOUTING to be hacked. I don't understad how people can be so irresponsible.



You mean the public key? The private key is what's used to sign tokens, the public key is used to verify the signature and can be freely shared. Or maybe you mean they used a symmetric key and shared that?


Private key to SIGN the content.


what am I missing?

a JWT signature is the header and payload encrypted and attached. You would do that encryption via a private key, said public key would be used to verify it was encrypted by the private key.

What does "to SIGN" mean in this context?


I'm pretty sure he meant they were putting the private key in the jwt.

People do some dumb stuff. And the dunning kruger effect is all too real.


He said it was used to verify the token, which is only true if you use a symmetric key not a private key.


Right, from what they're saying, they're pulling the key out of the claims to verify the token.

No it doesn't make sense.


Because they got the code our of a reddit comment?




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: