I want to ask something, while using asymmetric encryption, we encrypt the data using client's public key, so the client can decrypt the data using their private key right?
I just found tutorials for signing JWT using RSA, but I found they encrypt the data using the server private key instead of client's public key, and the server's public key shared among clients.
Is it even safe? Because if the public key is fall to the wrong hands because it's shareable, everyone can decrypt it right?
so, is it okay to sign the jwt like that?
In this scenario, the purpose is not to encrypt the data so that others cannot read it ("confidentiality"), it is to sign the data so that others with the public key can verify that you are in possession of the private key and you actually signed the data. The data in this case is a hash of the JWT header and payload. The private key is used for signing so that only one entity - the authentication server - can sign JWTs. The public key is used for signature validation so that any third party with the public key can validate the JWT. The public key cannot be used to create a valid signature.
So yes, it is safe!