alt Hacker NewsThe neat thing about JWT is that there are no secrets to scan for. Your secret material ideally lives inside an HSM and never leaves. Scanning for these private keys is a waste of energy if they were generated inside the secure context.
Replies
vjay15 • today at 10:53 AM
Ideally API key shouldn't contain anything regarding the account or any info right? it's meant to be an opaque string, is what I found in most of the other articles I read. Please do let me know if I am wrong about this assumption
➕ show 2 replies
But JWTs are usually used as bearer tokens when doing API authentication. Those are definitely secrets that need to be scanned for.
Or are you suggesting that the API requests are signed with a private key stored in an HSM, and the JWT certifies the public key? Is that common?