Tangible Bytes

A Web Developer’s Blog

Jwt Secret

JWT uses secrets which are stored securely

This secret is used to sign (opr encrypt) the token - and then the token can be validated using this secret. If the secret is shared between multiple servers - the token can ba validated on any of them.

The secret can change over time (at which point any previous tokens expire) and should be different in each environment eg there is no need to have the same secret in staging and production as token should not be valid across these.

It hasn’t been especially clear to me how a new token is best generated.

Read more ...