• r

    rp

    2 years ago
    yea. it must be a
    string
  • ?

    user

    2 years ago
    I have a question (a critique one I guess). "JWT sign-in Key Rotations" is supposed to be done in the middleware auth validation right? (I am currently using Node Js lib)
  • r

    rp

    2 years ago
    the key is stored in the database. We use RSA keys for JWT, which means, a private key is used to sign and create JWT, and a public key is used to verify it. The nodeJS SDK get's only the public key from the service for purpose of verification. Creating a new token, or changing the signing keys happens in the service side. So if the signing key is changed, the NodeJS sdk will still have the older public key. Any new access token that comes in will fail invalidation. The SDK will then pass on the access token to the service to verify (which will succeed cause it has the latest JWT key), and in response, the NodeJS sdk will get the new public key. Also, JWT signing Key Rotations is a pro feature only.
  • r

    rp

    2 years ago
    I'm not entirely sure I answered your question.. If not, please feel free to clarify
  • ?

    user

    2 years ago
    Thanks. The answer is very clear. It means if I had to enable Token theft detection feature, each subsequent request that requires SuperTokens middleware validation, a database call is to be made? Am I correct?
  • r

    rp

    2 years ago
    Token theft detection has nothing to do with JWT signing key. Token theft detection is already enabled.
    each subsequent request that requires SuperTokens middleware validation, a database call is to be made? No. Token theft detection happens when refreshing a session. Not validating a session.
  • ?

    user

    2 years ago
    Yes I understand that. I tied your answer with subsequent questions 🤦‍♂️. I am just trying to evaluate why I would use SuperToken while developing Laravel apps. Your solution is great as it separates the session management from the other app logic. My main concern is why the solution relies on JWT .
  • r

    rp

    2 years ago
    Thank you! We rely on JWTs cause that way, for most API calls, your session verification can happen in < 1 MS as opposed to 50 MS.
  • r

    rp

    2 years ago
    thereby making your APIs faster!