| ▲ | agwa 2 days ago | |
But JWTs are usually used as bearer tokens when doing API authentication. Those are definitely secrets that need to be scanned for. Or are you suggesting that the API requests are signed with a private key stored in an HSM, and the JWT certifies the public key? Is that common? | ||
| ▲ | bob1029 2 days ago | parent | next [-] | |
> are you suggesting that the API requests are signed with a private key stored in an HSM, and the JWT certifies the public key? Is that common? Very. The thing that certifies the public key is called a JWK. https://datatracker.ietf.org/doc/html/rfc7517 This is typically hosted at a special URL that enables seamless key rotation and discovery. https://auth0.com/docs/secure/tokens/json-web-tokens/json-we... | ||
| ▲ | mattacular 2 days ago | parent | prev [-] | |
That's how JWT is designed to work | ||