How does JWT eliminate the need for database lookups on every request?


I read that having a JWT system vs a simple token-based system eliminates token lookups in a database. But I don't get how that's possible. If it uses HMAC for a signature, doesn't the server need to look up the secret key for every client to verify their signature? Or do all clients use the same secret key? (sounds very insecure). If it uses an asymmetric algorithm, doesn't it still need to look up one of the keys to verify the signature?

Show source
| security   | jwt   2017-01-07 22:01 2 Answers

Answers ( 2 )

  1. 2017-01-08 03:01

    You can use the same secret key for every client. And it's secure! The client never sees your key. What JWT allows you to do is verify that the payload was signed using the secret key, and as long as it's kept secret, you'll know that only you could have signed the payload.

  2. 2017-01-08 16:01

    In the usual scenario, the server requires the credentials to authenticate the user (i.e. user & password). If the authentication is successful, the server issues a JWT which is signed with server's private key, not by the client..

    The signature protects the content and identifies the signer. Any alteration to payload or signature can be detected by the server verifying the signature and will reject the JWT . Therefore server can rely on the data included in the JWT

    The server can include in the payload the claims needed for authentication, for example user id sub, exp and other claims of interest like the username, email or the authorization roles . See What to store in a JWT?.

        "sub": "joe",
        "iat": 1300819370,
        "exp": 1300819380,
        "email": "",

    After verification of the signature, the server can use directly the included claims instead of query the database.

    With a symmetric key (HMAC), signature and verification is done with the same key. An asymmetric key pair (RSA) is composed by a private and a public key. Signature is done with the private key and verification with the public. Use a asymmetric key when you need that the client verifyies the JWT.

◀ Go back