cross-posted from: https://lemy.lol/post/4569543

I need to

  • encrypt JSON payload (not just sign)
  • not share private key
  • verify the payload is generated with the shared public key and RSA fitting all of these.

As I’ve only made auth with JWT so far, I’m not sure. If I use RSA, I guess I have to put the encrypted text in the body.

Do you think it can be used? Any other suggestions?

  • towerful@programming.dev
    2·
    1 year ago

    So what part are you wanting to protect?
    The user to your client? The client to you? Or essentially end-to-end between the user and you, but via your client?

    Perhaps an alternative way?
    The user sends the stock pool to the client, they give the user a transaction key. The user submits the transaction key to you, you fetch the transaction details from the client, then you process them?

    I guess I’m failing to understand why the payload needs to be encrypted everything is already travelling over an encrypted medium (IE TLS/HTTPS).

    • iso@lemy.lolOP
      1·
      1 year ago

      The client wants to encrypt the payload while sending to us. I hope they know why they want this :)