|
|
|
|
|
|
by theprotocol
3329 days ago
|
|
|
If it isn't encrypted, the only thing the client needs to know is that it's base64 encoded in order to inspect it. You'd need the secret to verify the signing and you probably shouldn't have that on the client-side! So I still think the header is superfluous even for this use case. edit: in fact, the client needs to know that it's base64 encoded to even read the header in the first place. |
|
|