- Header — how the token is constructed
- Payload — identity and other claims
- Signature — proof that the token is genuine
sub) claim identifies the user or entity:
Signing and Verification
JWTs are signed so that recipients can verify they have not been tampered with. Verification is done by checking that the signature matches the payload using a corresponding verification key.Symmetric vs Asymmetric Keys
JWTs can be signed using:- Symmetric keys — one shared key used for both signing and verifying
- Asymmetric keys — a private key for signing and a public key for verification
Asymmetric keys avoid this. The signing private key never leaves your control, and we only receive the public verification key.
Why Asymmetric Keys and JWTs?
While Mutual TLS (mTLS) proves which server is sending a request, it does not tell us which user the server is acting on behalf of.JWTs fill this gap by conveying identity and permission information for individual Builders and Members. Asymmetric JWT verification is used because:
- You keep the private signing key, maintaining full control over user management.
- Sutro only needs the public key, ensuring verification is possible without ever being able to forge tokens.
- Each authentication service or environment can have its own key pair, making token origin traceable.