I'm trying to secure the rest API endpoint with JWT. I looked at a few related questions here and here.

I have some sensitive information in the JWT but I'm using HTTPS, so the data is already encrypted so would that be enough, or do I have to encrypt JWT ?

CodePudding user response：

HTTPS gives you encryption in transport. This means that if anyone intercepts your message they will not be able to read it. But the secure connection is terminated by the browser (at the user side) and very often by a load balancer or API gateway at the server side. This means that the JWT will be freely available to anyone with access to the browser. There is also a possibility that it will be read or stolen from inside your network (once it's past the Gateway/load balancer). This one is a much lower threat, but it nevertheless exists.

If you have sensitive information in the JWT, then there are two options:

1. You can encrypt JWTs (so use JWEs). This way the token's contents will be secure in the browser. Even if someone reads or intercepts the token there, they will not be able to read it. JWE is a bit tricky to set up, though.

2. You the Phantom Token pattern. In this pattern, you issue opaque tokens to the client and have your API Gateway exchange the opaque token for a JWT. This way your sensitive information is kept away from the browser but your APIs can still benefit from the power of the JWT. It also doesn't require setting up encryption. It leaves you vulnerable to any malicious actors inside your network (either from your organization or someone who manages to breach your defenses), but this is a much lower risk.