Great question! It depends on which algorithm you’re using to sign tokens (you can check in your application settings → advanced → oauth tab as well as in your API settings)- Typically this will be RS256 which is asymmetric, won’t include using a secret, and is generally considered more secure. HS256 is symmetric and requires a secret. Some further resources on this topic:
Thanks for this - I just had a read of it. I notice there’s a method for checking scope. Would you mind briefly explaining how this might work with/relate to Auth0? Right now I’m merely validating the JWT, as shown, and I’m handling all permissions app-side i.e. I have a custom, proprietary permissions system that I’m managing outside of Auth0. With this in mind, would I be right in thinking I don’t really need to get involved in Auth0-side scopes and roles (not currently sure of the difference)?
If you’re already handling this on your own then you probably don’t need to worry about the other functions provided for checking scopes, claims, etc. They exist for more granular authorization beyond just checking to make sure the access token is valid - For example, you might check to make sure a user has a specific scope, claim, role, etc. before they are able to access a given endpoint. Some examples here: