I am using JWT for API authentication using RS256 private/public key.
At my client side I am using Vuejs/Angular/React, I am tempted to use JsonWebToken to do client JWT token verification for expiry date and issuer:
var cert = fs.readFileSync('public.pem'); // get public key
jwt.verify(token, cert, { audience: 'urn:foo', issuer: 'urn:issuer' }, function(err, decoded) {
// if issuer mismatch, err == invalid issuer
});
Do you think is a good idea to expose public key, although public key is meant for distribute?
The public key can be published 'publicly' with no harms. The public key is used to verify that the signature isn't manipulated while the private key is the one which shall be kept secret as it is the one that signs the payload. So your client needs to know only if the payload hasn't been manipulated. More details here