I had a few questions in regards to certain practices used by JWT developers. I'm relatively new to both encryption and JWTs and the context given is for developing a system on nodejs.
How should verification work? Should I look at the JWT's signature section and verify with the private key each time? Or should I store the token in a No-SQL database and see if it contains it for verification (checking expiration dates too)?
How many bits should each secret key be? Is 2048 too much? What's the 'good medium'?
Is RSA with the HMAC SHA256 signing method okay? What's the best method for key creation? Should keys be generated on multiple occasions (ie. per server startup)? Or is having it static fine?
I'm recommending for you to check out this url
Hope it helps,
External links referenced by this document: