-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
how to generate secret key? #48
Comments
Hi @skota, We wrote a tutorial on this: https://github.com/dwyl/learn-json-web-tokens
Hope that helps! |
Thank you. Yes it does help. Is this the right place to post questions by the way? Thanks From: Nelson notifications@github.com Hi @skota, And here's a bit more info: http://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology |
@skota glad it helped. |
@skota we have added instructions to our readme for sourcing your JWT secret key. |
there is a correct way to generate a secret |
@gstolfo please share a link to the correct way, or describe it for us, thanks! 👍 |
So does that mean using a private and public key is not supported by this package? If so, is it enough to read their content and provide them as the key? It seems to make jsonwebtoken crash. |
As seen on the
|
Just for reference as I'm learning about JWT as well, i found it interesting that i can generate a JWT token server side, send it to client to store as cookie, and then do this in browser dev tools:
So good to know that the header and payload are just base64 encoded, so not good to store secure information in them. |
with openssl you can do:
|
openssl rand -base64 10 |
@satishpatro44, could you explain why you use I guess if you have 10 bytes, that's 2 ^ (10 * 8) = 1.20892582e24 permutations. So I guess it's not a real problem that someone can brute force this. This is just my unqualified thoughts, and I would love to see what others think about my concerns :) |
openssl rand 64 | hexdump -v -e '/1 "%02x"' |
Suppose. I have secret word: Thanks |
originally posted by @skota on ryanfitz/hapi-auth-jwt#30
The text was updated successfully, but these errors were encountered: