Hacker News new | ask | show | jobs
by Freak_NL 3331 days ago
Keeping the JWT format as-is is useful if you have signed (but not encrypted) tokens though; in a web browser you can use standard libraries to inspect the token and alter the UI based on a user's permissions (the final check is always the API's responsibility of course, but if there is no need to show the 'admin' link the client can do that).
1 comments
theprotocol 3331 days ago
If it isn't encrypted, the only thing the client needs to know is that it's base64 encoded in order to inspect it. You'd need the secret to verify the signing and you probably shouldn't have that on the client-side!

So I still think the header is superfluous even for this use case.

edit: in fact, the client needs to know that it's base64 encoded to even read the header in the first place.

link
vertex-four 3331 days ago
Symmetric signing is not, by far, the only use case for JWTs. Asymmetric signing, and encryption, are also well-specified and supported.
link
theprotocol 3331 days ago
Good point! It slipped my mind.
link