The json web token seems to be a good way to protect server apis from unauthorised access, but a jwt requires a secret key. And usually the one who does a request to a server is a browser. And a browser cannot store a secret key, because it would be visible in the HTML.
So the only option that remains is to use the password entered by the user, store it in a variable, and use it as a secret key for subsequent requests. Problem is that on server secret keys have to match, so then I have to either:
Or am I missing something? Is there a better way to do this?
The JWT should be created on the server and sent to the client (typically in response to the client sending a username and password to the server using HTTPS).
The client never needs to know the secret key.
The server's secret key therefore doesn't need to match with anything other than itself.