Hey @amaster507, well… yeah, i’d say should only be used if its verified, but unfortunately it can be decoded and used without being altered by pretty much any code that gets its paws on it.
As I understand there is no way to really tie a User session to an IP address and have a JWT that is only verified for that user from that IP for the duration of that session.
Maybe I am over thinking this… (or being a bit over-cautious)
… but as I understand it:
If my server (or auth0 as Dgraph uses in the examples) sends a JWT to the client, and then the client uses that JWT to gain access to Dgraph, any other client from any other IP would be able to use that same JWT to access everything that the original client has access to.
Is that true?
The JWT is still signed by the same private key, and still “valid” no matter where it is reused from.