<p><a class="user-mention" data-hovercard-type="user" data-hovercard-url="/hovercards?user_id=1465310" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/mrosseel">@mrosseel</a> the goal of JWT token is to allow backend to identify user without querying db, so the token always contains some unencrypted info about the user and a backend's signature to guarantee that data was not tempered.<br>
We don't query database and keep the token in memory so there is no benefit while we would have to expose some data about the user. This is a privacy concern.<br>
If random token expires then it's useless. JWT tokens cannot expire, and even if the key used for signatures is changed, the token itself still contains some data about the user.</p>
<p>As far as I know letsencrypt still requires a registered domain name, doesn't it?</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/bisq-network/proposals/issues/69#issuecomment-456335358">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AkpZtgz2ctKQiWSCMMr5BSPY1dvV_fxTks5vFt3XgaJpZM4aKpN9">mute the thread</a>.<img src="https://github.com/notifications/beacon/AkpZtpgdGFSaJ64f8CxjusRfLIg5Zy-nks5vFt3XgaJpZM4aKpN9.gif" height="1" width="1" alt="" /></p>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/bisq-network/proposals","title":"bisq-network/proposals","subtitle":"GitHub repository","main_image_url":"https://github.githubassets.com/images/email/message_cards/header.png","avatar_image_url":"https://github.githubassets.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/bisq-network/proposals"}},"updates":{"snippets":[{"icon":"PERSON","message":"@blabno in #69: @mrosseel the goal of JWT token is to allow backend to identify user without querying db, so the token always contains some unencrypted info about the user and a backend's signature to guarantee that data was not tempered. \r\nWe don't query database and keep the token in memory so there is no benefit while we would have to expose some data about the user. This is a privacy concern.\r\nIf random token expires then it's useless. JWT tokens cannot expire, and even if the key used for signatures is changed, the token itself still contains some data about the user.\r\n\r\nAs far as I know letsencrypt still requires a registered domain name, doesn't it? "}],"action":{"name":"View Issue","url":"https://github.com/bisq-network/proposals/issues/69#issuecomment-456335358"}}}</script>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/bisq-network/proposals/issues/69#issuecomment-456335358",
"url": "https://github.com/bisq-network/proposals/issues/69#issuecomment-456335358",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>