I was learning the JWT authentication and I got to know that when the jwt token is sent to the server for verification then it is decoded into header payload and signature so the server verifies the signature's secret key from the secret key already stored on the server.
Is this correct or is there any other process?
Asked the same thing from chatGPt as well and this was the answer.
In JWT authentication, the server typically has the secret key used to verify the authenticity of the JWT token. The process typically involves the following steps:
Token Generation: When a user successfully logs in or authenticates on the server, the server generates a JWT token using a specific algorithm (such as HMAC, RSA, or ECDSA) and a secret key that is known only to the server.
Token Signing: The server signs the JWT token by applying the algorithm and the secret key to the token's header and payload. This creates a signature that is unique to the server.
Token Sending: The server sends the JWT token back to the client as part of the response. The client will include this token in subsequent requests to the server for authentication purposes.
Token Verification: When the client sends a request with the JWT token, the server retrieves the token from the request header or another designated location.
Token Decoding: The server decodes the JWT token to extract the header and payload information, typically using the base64 decoding process. This information can include details such as the user ID, expiration time, and any custom claims.
Token Validation: The server then verifies the integrity of the JWT token by reapplying the signing algorithm and the secret key to the token's header and payload. If the resulting signature matches the one in the token, it indicates that the token is authentic and has not been tampered with.
The server has access to the secret key used to sign and verify the JWT tokens. This secret key is typically securely stored on the server, either in a configuration file or an environment variable, to prevent unauthorized access.
A JWT is a chunk of data that the server gives to the client to hold onto, with a tamper-evidence mechanism in the form of the signature. It allows the application to shift state storage from the server to the client (so long as the state is something safe/appropriate for the client to store).
Depending on your perspective, this can make the application stateless because the server may not have to store anything beyond what it needs to verify credentials.