Java – JWT login process and token validation on the server

What is the correct way to verify tokens on the server?

I use the JWT token mechanism in my application, which is how it works now:

>The client logs in with the user name and password > the server checks the user name and password, uses RSA to create the token public and private keys, uses the payload to send a new token to the client, contains the user's e-mail address, and then stores the same token database. > Any subsequent resource request on the server is sent by the client, and then the JWT token server uses the available token to check the token database based on the e-mail address of the user's login. > The resource is then provided to the client

I think I missed something here Reading other blog posts, I see that the tag should be verified with a key

I have a few questions:

>I'm not sure if I should check the token private key against the public key > when sending JWT token to the client, I must send the public key. The client is in the payload because I'm using RSA mechanism? So for each request resource, I must decode the token and check the public key against the private key? > Under what circumstances do I need to store tokens in the database? Or do you not need to store tokens in the database at all? > What happens when a malicious client acquires a token and logs in with it?

Note: I use vanilla Java and Jax RS (rest) as the back end and angularjs as the front end thank you

Solution

>The server must use the private key to sign the JWT The client can then authenticate the token with the public key and the server itself