Yes, where possible. Symmetric signing makes verification depend on a shared secret, which increases exposure if that secret leaks or is reused. Asymmetric signing better separates issuance from verification and reduces the chance that one compromised key can invalidate trust across many services.
Why This Matters for Security Teams
For high-risk API flows, symmetric JWT signing creates a single shared secret that must protect both issuance and verification. That is convenient, but it also widens the blast radius when the secret is leaked, copied into code, reused across services, or left valid too long. The more privileged the flow, the less defensible long-lived shared trust becomes. Current guidance on zero trust and NHI governance points toward stronger separation of duties, better rotation discipline, and tighter service accountability, as reflected in NIST Cybersecurity Framework 2.0 and NHIMG’s Top 10 NHI Issues.
The issue is not JWTs themselves, but the trust model behind them. A shared HMAC key can be hard to inventory, hard to revoke selectively, and hard to prove has not been exposed. In contrast, asymmetric signing lets a small number of issuers hold private keys while many verifiers rely on public keys, reducing trust concentration. That matters especially where APIs handle payments, infrastructure changes, secrets retrieval, or tenant-level actions. In practice, many security teams encounter key misuse only after a production token leak or lateral movement has already occurred, rather than through intentional control testing.
How It Works in Practice
The practical decision is usually to move from symmetric HMAC signing to asymmetric signing with strong key management. The issuer signs with a private key, and each API or gateway verifies with a public key, often distributed through a managed JWKS endpoint. That changes the operational model in a useful way: verification can scale without replicating the secret, and compromise of one verifier does not automatically expose the signing material. This aligns with the broader NHI principles in NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now.
For high-risk flows, teams should also pair signature changes with controls that reduce replay and misuse. That typically means short token lifetimes, audience restriction, issuer validation, token binding where supported, and key rotation procedures that are tested before an incident. For service-to-service APIs, the stronger pattern is often to authenticate the workload itself, then authorize the call based on context, not just on possession of a token. This is consistent with zero trust thinking in NIST Cybersecurity Framework 2.0 and with NHIMG’s guidance on reducing standing trust in OWASP NHI Top 10.
- Prefer asymmetric JWT signing when multiple services must verify tokens.
- Keep private keys narrowly held and rotate them on a documented schedule.
- Limit token lifetime and scope, especially for admin, billing, or secrets-related APIs.
- Validate issuer, audience, and algorithm explicitly; do not trust token contents by default.
- Use workload identity and policy checks for the API call itself, not only token possession.
These controls tend to break down when legacy services require shared libraries, offline verification, or hard-coded secrets that cannot be rapidly rotated because the operational dependency itself becomes the trust bottleneck.
Common Variations and Edge Cases
Tighter token controls often increase operational overhead, requiring organisations to balance security gains against deployment complexity and outage risk. That tradeoff is real, especially in environments with many consumers, older gateways, or partner integrations that cannot yet consume public-key infrastructure cleanly.
There is no universal standard for every API topology. For low-risk internal systems with small blast radius and mature secret handling, symmetric signing may remain acceptable as a transitional design. For high-risk flows, however, current best practice is evolving toward asymmetric signing plus stronger NHI controls, because it reduces shared-secret exposure and makes revocation and separation of duties more practical. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks shows why excessive privilege and weak secret hygiene are still common failure points.
Edge cases include token exchange chains, multi-tenant platforms, and event-driven systems where tokens are minted once but consumed far downstream. In those environments, asymmetric signing is necessary but not sufficient. The verifier still needs strict audience checks, rapid revocation paths, and monitoring for anomalous token use. Organisations that depend on long-lived shared secrets for these workflows should treat them as temporary technical debt, not a secure endpoint state.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers secret rotation and exposure risks in shared JWT signing. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access supports safer token verification and issuance separation. |
| NIST Zero Trust (SP 800-207) | SC | Zero Trust supports context-based verification instead of shared trust in a secret. |
Replace shared JWT secrets with asymmetric keys and rotate signing material on a tested schedule.
