# JWT Private / Public Key Confusion  ## Metadata - Author: [[stackoverflow.com]] - Full Title: JWT Private / Public Key Confusion - Category: #articles - Summary: The asker is confused but signing is done by the issuer with its private key and others verify with the public key. Private keys must stay secret on the server; public keys are shared for verification. Use HTTPS for transport and use JWE (encryption) if the token contains sensitive data. - URL: https://stackoverflow.com/questions/60538047/jwt-private-public-key-confusion ## Highlights - With JWT, the possession and the use of the key materials are exactly the same as in any other contexts where cipher operations occur. ([View Highlight](https://read.readwise.io/read/01k31dtsp03mh9q2q8ymb1gvbg)) - For signing: • The private key is owned by the issuer and is used to compute the signature. • The public key can be shared with all parties that need to verify the signature. ([View Highlight](https://read.readwise.io/read/01k31dtxx84xeg2ba4bpmfvhtr)) - or encryption: • The private key is owned by the recipient and is used to decrypt the data. • The public key can be shared with any party that wants to send sensitive data to the recipient. ([View Highlight](https://read.readwise.io/read/01k31dv91v72wedhyyd0hgqvv6)) - Encryption is rarely used with JWT. Most of the time the HTTPS layer is sufficient ([View Highlight](https://read.readwise.io/read/01k31dvwzrs6w6g42tn2zx5hnr)) - The issuer of the token (the authentication server) has a private key to generate signed tokens (JWS). These tokens are sent to the clients (an API server, a web/native application...). The clients can verify the token with the public key. The key is usually fetched using a public URI. ([View Highlight](https://read.readwise.io/read/01k31dwgta3xaxfzhwjzrveytp))