Encrypted JWT's (JWE?) with Lock

I’m using the Lock library, and it provides me with JWT’s. This is working great.

I’m curious though how to have Auth0 encrypt the token. I was expecting to find a setting on my client settings in Auth0, like and “Encrypt tokens” toggle or something. I can actually find almost nothing about JWE’s on the web except for RFC 7516. I can’t find any documentation from Auth0 about how to enable such a setting. Can you help me? Are they just not really commonly used?

I THINK encrypting them isn’t necessary, as my site is using HTTPS. Is that right?

1 Like

At this time, there is no support for JWE either when JWT’s are used as ID tokens or access tokens. Like you mentioned, encrypted JWT’s do not have a very widespread use unlike their signed peers (JWS) which is also what it’s currently available in Auth0 by supporting both HS256 and RS256 signed ID tokens and access tokens (when applicable).

The use of HTTPS does imply that the actual JWT data while in-transit between client and server gets encrypted. However, as soon as the HTTPS connection is terminated the token contents could be decoded and available without any sort of decryption. In general, you will not want to include sensitive information within these tokens so the matter ends up being a non-issue.