Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Out of interest, do you check the authenticity and integrity of the JWT on the client side?


We provide an endpoint to check validity with the server, but haven't used it too often. Anything "reasonably sensitive" (or more) doesn't depend on anything like this client-side security.

But, if you're just hiding an additional Delete button on a page based on claims, this comes in handy.

(Edit: in one case, we've used asymmetric keys, i.e. public key so everyone can check integrity. This was a very different use-case to most web apps, though. Overall I'd say if you're carefully checking integrity of something in client-side JS to do something, I think that's probably the wrong approach)


That's exactly what is useful for. Of course access to a resource is determined server-side; JWT simply allows you to adjust the UI to the permissions the user has without any additional calls. If the user changes the JWT he has client-side, he will just get a broken delete button (the server will reject a JWT that has been tampered with).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: