Improve JWT Token Signing from Symmetric to Asymmetric

[belaoud001]

Description

Currently, our authentication system uses symmetric signing (HS256) for JWT tokens. This means any service that validates tokens must have access to the same secret key used to sign them.

Problems with the current approach

• Security risk: Any service with access to the secret can forge valid tokens.

• Tight coupling: All services must share the same secret key, making key rotation and environment management harder.

• Scalability: Adding new microservices requires securely distributing the secret key.

Proposed improvement

Switch to asymmetric signing (RS256 or ES256):

1. The Auth Service signs tokens using a private key.

2. Other APIs validate tokens using the public key only.

3. Optionally, expose the public keys via a JWKS endpoint for automatic validation in multiple services.

Benefits of this approach:

1. Only the Auth Service can create valid tokens.

2. Other services cannot forge tokens.

3. Key rotation becomes safer and easier.

4. Supports secure scaling across multiple APIs and environments.