Comment by ajayyy
1 year ago
The tokens are "generated" on the client, and the server just gives the client enough information to make that locally generated token become "valid", without being able to link that token to a specific validation attempt
So basically the server signs the token and afterwards the server can verify its own signature for every request with that token?
looking at it from a high level, it doesn't appear the final token ever leaves the client till it's being redeemed. There's a middle step that does get signed, but this part is not what is sent.