| ▲ | bob1029 2 days ago | |
> are you suggesting that the API requests are signed with a private key stored in an HSM, and the JWT certifies the public key? Is that common? Very. The thing that certifies the public key is called a JWK. https://datatracker.ietf.org/doc/html/rfc7517 This is typically hosted at a special URL that enables seamless key rotation and discovery. https://auth0.com/docs/secure/tokens/json-web-tokens/json-we... | ||