In Silhouette, a JWT authenticator could be created using the following class
JWTAuthenticatorSettings(fieldName: String = "X-Auth-Token", requestParts: Option[Seq[api.util.RequestPart.Value]] = Some(Seq(RequestPart.Headers)), issuerClaim: String = "play-silhouette", authenticatorIdleTimeout: Option[FiniteDuration] = None, authenticatorExpiry: FiniteDuration = 12 hours, sharedSecret: String)
What is the use of sharedSecret? Is it what the application would use when signing the JWT header/claims payload?
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
sharedSecret)
Looking at the formula it looks like sharedSecret should be just secret. This is important since it should not be shared with clients. Usually, there is only one secret parameter (or several) that is used for all clients. Maybe in this sense, it is shared.