|
|
|
|
|
|
by mooreds
1862 days ago
|
|
|
Like a sibling comment said, hopefully this was tongue in cheek. If you use "none", anyone can forge a JWT that says anything. I always say: * You should have some other way of verifying that the JWT was unchanged by the client, like say being on a private network or using client TLS certs and * You should benchmark and know that the signing overhead is a significant source of performance degradation in your system. Otherwise, sign your JWTs! :) |
|
|