I am trying to understand how the JWT Signature verification works and i have read this page under the “Check signature” section. The documentation states that:
" 1. Take the original Base64url-encoded Header and original Base64url-encoded Payload segments (Base64url-encoded Header + “.” + Base64url-encoded Payload), and hash them with SHA-256.
2. Encrypt using either HMAC or RSA (depending on your selected signing algorithm) and the appropriate key."
This is surely a mistake or have i misunderstood things? During signature verification there is no encryption necessary when dealing with RSA keys. What you have a public key to decrypt the hash and verify that the current hash and the original hash are equal.
This document is confusing me and need help with clarity.