hi folks,

I am trying to understand how the JWT Signature verification works and i have read this page under the “Check signature” section. The documentation states that:

" 1. Take the original Base64url-encoded Header and original Base64url-encoded Payload segments (Base64url-encoded Header + “.” + Base64url-encoded Payload), and hash them with SHA-256.

2. **Encrypt using either HMAC or RSA** (depending on your selected signing algorithm) and the appropriate key."

This is surely a mistake or have i misunderstood things? During signature verification there is no encryption necessary when dealing with RSA keys. What you have a public key to decrypt the hash and verify that the current hash and the original hash are equal.

This document is confusing me and need help with clarity.