JWT — JWS or JWE? JWK? JWKS?

If you are not a medium member, use the link here to access the content for free

I have been always impressed by JWTs, the concept overall, the usage, the technicalities around it. In fact it is the thing that forced me to learn details about the key pair(private + public keys), cryptography, etc. In this blog post I would love to share the brief(less is good) details of it.

JWT ➫ JSON Web Token. It is a standard which has the two implementations JWS and JWE. So when we say JWT — it actually is either of these two, it will either be a signed token or an encrypted token.

JWS ➫ JSON Web Signature. In this case the payload is signed. It can be inspected inflight. Content is easily visible.

JWE ➫ JSON Web Encryption. For this one the payload is encrypted. It cannot be inspected in flight, the payload needs decryption to be made visible.

Basics 1st — Symmetric vs Asymmetric?

Symmetric Key

When the same key is used for bidirectional operations then it is known as a Symmetric key. It is a single key that is used for either side of the operation of in case of signing/ validating and encryption/ decryption.