Techly NewsGet the app

Get the latest tech news

Self-Signed JWTs


Self-signed JWTs are the future of auth.

Let’s see how we can get rid of secret versus publishable keys and separate client and admin SDKs. Store your app’s private JWK on the server Using whatever auth scheme you have, implement a function that returns whether to allow a given action Express privileged actions as claims in your JWT—if a privileged action is allowed, include the claim in the payload and sign the JWT with your private key Give your client SDK a function that reverse-proxies to your API, adding a signed JWT to the request’s Authorization header with any privileged claims you want to include Simple: make your API return a payment URL when a request is made with a public key that isn’t associated with a paid account.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of self

self

Photo of Signed JWTs

Signed JWTs

Related news:

News photo

Deep Cogito goes big, releasing 4 new open source hybrid reasoning models with self-improving ‘intuition’

News photo

Show HN: Sourcebot – Self-hosted Perplexity for your codebase

News photo

Ubiquiti launches UniFi OS Server for self-hosting

« Build an AI telephony agent for inbound and outbound calls
$10 billion, 10 year US Army contract elevates Palantir to defense contracting royalty »