Notes taken between: 18-22 February 2019
git rebase --onto newBase oldBase feature/branch
Using HMAC is nice because it's the fastest option. However, in order to decrypt the JWT's, you need to give someone the one key that does everything, Sharing this key with someone else means that that person could now also sign tokens and pretend like they're you.
If you're building multiple server applications that all need to be able to verify your JWT's, you might not want every application to have the ability to encode tokens as well (different programmers might be maintaining the different applications, sharing the encypting ability with more people is a security risk, etc). In this case, it's better to have one, tightly controlled private key (and one app that does the signing) and then share the public key around with other people to give them the ability to verify the tokens. Here, the private key is used for encrypting the tokens, and the public key is used for decrypting them. In this case you'd want to choose RSA or ECDSA.