I need to

  • encrypt JSON payload (not just sign)
  • not share private key
  • verify the payload is generated with the shared public key and RSA fitting all of these.

As I’ve only made auth with JWT so far, I’m not sure. If I use RSA, I guess I have to put the encrypted text in the body.

Do you think it can be used? Any other suggestions?

  • mwguy@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    If you’re already using JWTs for the auth it seems like JWE.

    However unless you’re storing your tokens and payloads (like in a job queue) that might be overkill. If your standard REST/Graphql api is backed by SSL/TLS you get encryption in transit for free.