The WebCrypto API's CryptoKey interface allows developers to securely create public and private keys in the browser. These keys can be used to sign and validate JWTs, or to perform other cryptographic tasks, such as encryption and decryption. Importantly, the private key can be kept opaque and is not revealed to the end-user or the JavaScript runtime. This means that developers can work with the CryptoKey interface without having to handle the underlying keys directly.
One neat application of this is the ability to store the CryptoKey object in IndexedDB for later use. This allows developers to continuously sign JWTs with the same private key over multiple browser sessions, until the browser storage is cleared. This can be useful in scenarios like OAuth2's Dynamic Client Registration Protocol. Overall, the WebCrypto API's CryptoKey interface provides a convenient and secure way to work with public and private keys in the browser.
Demo
In this demo, we use a key pair generated with WebCrypto to sign and validate a JWT completely in the browser. The generated CryptoKey is stored in IndexedDB so we can reuse the same key pair over multiple browser sessions.
Note you need to have SSL enabled for this demo work - WebCrypto is disabled in non SSL environments.