Home > Enterprise >  JWT, is it safe to use the same key pair to sign from server-side and encrypt from client-side?
JWT, is it safe to use the same key pair to sign from server-side and encrypt from client-side?

Time:03-07

My private key is server-side and the public one are client-side. I use them to sign JWT from my server and sent to my clients, for authorisation. I have now to also encrypt the user password client-side during the authentication using JWE and verify it from server-side.

This two use case have the same requirements: private key is server-side, public key are client-side, and encryption algorythms can be the same. This is why I am thinking to use the same key pair but I am affraid to miss something about security and I would like to have confirmation, is it safe ?

CodePudding user response:

As best practice, you should not re-use the same key pair for different purposes. Just have two distinct key pairs, one for digital signatures, the other for public key encryption.

  • Related