我需要分别为每个用户管理jwt秘密密钥吗? [英] I need to manage jwt secret keys individually for each user?

问题描述

我使用jsonwebtoken模块实现了jwt身份验证.但是，在生成和验证jwt令牌时，是否需要为每个用户创建和管理任意密钥?为每个用户分别管理密钥与使用一个密钥生成和验证jwt令牌之间有区别吗?

I implemented jwt authentication using the jsonwebtoken module. But do I need to create and manage arbitrary secret keys for each user when generating and verifying jwt tokens? Is there a difference between managing secret keys separately for each user and generating and verifying jwt tokens with one secret key?

推荐答案

不，您使用单个密钥对令牌进行签名.这是因为当令牌在请求中返回给您时，您需要能够对令牌进行解码，并且此时您不知道真正的用户是否在发送您的令牌，因为您尚未验证它

No, you use a single secret key to sign your tokens. This is because when the token comes back to you in a request, you need to be able to decode the token, and at this point you don’t know whether a genuine user is sending your token, because you haven’t verified it yet.

使用单个密钥签名和验证令牌，并记住确保安全.

Use a single key to sign and verify your tokens, and remember to keep it safe.

这篇关于我需要分别为每个用户管理jwt秘密密钥吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！