JWT Keys - Asymmetric and Symmetric

With asymmetric JWTs(JWS) that are signed with a Private Key of the Sender, the Receiver of the Token is basically receiving the Payload(header/claims) that are in clear text other the being base64 encoded. This is why they need to be transmitted in a Secured Socket Layer(SSL) environment. To Validate the Received Signature, the Public Key is used by the Receiver to recompute the Signature of the received Payload. If the two Signatures, the Received Signature and the Computed Signature, don't match, then the Payload cant be trusted-- it is Invalid Therefore, such an Asymmetric JWS would not be a good method to include a sensitive "claim" such as a Social Security Number because the content of the Payload is not encrypted. The include such sensitive data in a JWT the Json Web Token Encrypted JWE could be employed. In the JWE the entire Payload is encrypted.


Symmetric keys are only to be used in a peer-to-peer way so it would be pointless for the receiver to modify JWTs for which only he and the sender have a shared key (and he is the intended recipient).

Asymmetric key signatures (in JWTs as well as in general) are produced by the sender with the private key and verified by the receiver with the public key. The consumer/receiver is given only the public key which happens out_of_band (i.e. through another means of communication than the one you use to exchange the secured data).