Please, don't use HMAC via shared secrets for JWT if you can avoid it at all... prefer RSA signed keys, this way only the public key is shared and the private key only needs to be secured in one place.
Here's a more relevant article with actual code examples.
https://link.medium.com/0W35cJtseZ
Though I would go with a 4092 bit key and use RSA 384 for the signing. The article mentions generating keys in Chrome... unless you have a real use case for this, then go for the stronger options on the server.
tracker1 1593 days ago. link 1 point ▲ ▼