logoalt Hacker News

vjay15today at 10:53 AM2 repliesview on HN

Ideally API key shouldn't contain anything regarding the account or any info right? it's meant to be an opaque string, is what I found in most of the other articles I read. Please do let me know if I am wrong about this assumption

Replies

ijustlovemathtoday at 11:53 AM

JWT operates on a different principle; the user's private key (API key) never leaves the user's device. Instead, the stated "role" and other JSON data are signed with the servers pubkey, then verified by the server using its master key, granting the permissions that role allows.

miningapetoday at 11:51 AM

Look at the JWT standard, it usually contains things like claims, roles, user ids, etc.