Return to Answer

The JWT JWA specification REQUIRES that HMAC signing keys have lengths equal to or greater than the signature byte array length.

The JWT JWA specification REQUIRES that HMAC signing keys have lengths equal to or greater than the signature byte array length.

signWith(Key) is recommended to let JJWT figure out the strongest algorithm possible based on the strength of your supplied key. signWith(Key,SignatureAlgorithm) enforces that the specified Key is strong enough for the specified SignatureAlgorithm per the RFC requirements. Both methods will reject any Key that doesn't meet the minimum RFC requirements.

signWith(Key) is recommended to let JJWT figure out the strongest algorithm possible based on the strength of your supplied key. signWith(Key,SignatureAlgorithm) allows you to specify a desired algorithm if you don't want the strongest possible one.

Both methods will reject any Key that doesn't meet the minimum RFC requirements.

As of JJWT 0.10.0, signWith(SignatureAlgorithm var1, String var2) has been deprecated because of the confusion between raw strings and Base64-encoded strings:

signWith(Key) is recommended to let JJWT figure out the strongest algorithm possible based on the strength of your supplied key. signWith(Key,SignatureAlgorithm) enforces that the specified Key is strong enough for the specified SignatureAlgorithm per the RFC requirements.

With JJWT >= 0.10.0, signWith(SignatureAlgorithm var1, String var2) has been deprecated because of the confusion between raw strings and Base64-encoded strings:

signWith(Key) is recommended to let JJWT figure out the strongest algorithm possible based on the strength of your supplied key. signWith(Key,SignatureAlgorithm) enforces that the specified Key is strong enough for the specified SignatureAlgorithm per the RFC requirements. Both methods will reject any Key that doesn't meet the minimum RFC requirements.