FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Can anyone access "private key" present in JWT signature when token is signed using RSA?

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    2
    468
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      agbichpuriya
      last edited by

      Hey, I am trying to authenticate my user using jwt token signed with RSA key. I have configured the same in my application's jwt section. Now, when I put the encrypted access token to any JWT debugger website like token.dev, I can get the "private key" as well as the "public key" in the JWT signature. Since, this way any one can get the private key and then forge the jwt, I would like to know how we are ensuring the authenticity? Also, is it expected behavior or I am making some mistake? Your help would be highly appreciated.

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @agbichpuriya
        last edited by dan

        @agbichpuriya

        The private RSA key should not be present in your JWT. The public key should not be present either, but a kid should be present in the header identifying the public/private keypair that was used to sign the JWT.

        Please share a sample JWT with this issue.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post