I want to secure the hosted Rest services using Token authorization system. So, I decided to go with JWT process. After the following documentation, I got confused how digital signature works. AFAIK we need to encrypt the private key using SignatureAlgorithm. and to verify it we only need public key on our end user application. I will save the public key in an android local database.
Now, Let's talk about reverse engineering. If someone is able to access the client database and figure it out what is the public key . Now they just need to figure out what kind of algorithm server are using for digital signature and it's very simple to do it by just decrypting the header section.
Am I missing something here? If No, Then How JWT is safe to use?