I have worked with OAuth and OpenID Connect a few times in the past, but a recent discussion brought to light that I didn’t really understand how it all worked. It was surprisingly difficult to hunt this down online, so I thought I would compile my research for anyone that is interested! Quick intro to JWTs and encryption: A JWT has the format {base64(header)}.{base64(payload).signature With symmetric encryption, every client and the token provider have a shared secret, which is used to hash the payload into a signature. Clients calculate the signature of the payload and verify the signature matches. With asymmetric encryption, the token provider keeps a private key and publishes a public key. The token provider hashes the payload and encrypts the hash into a signature. Clients use the public key to decrypt the signature and verify that matches the hash of the payload. The following attempts to explain how an OpenID Connect token provider digitally signs auth tokens, an