Public-Key Cryptography.
A cryptographic system in which each principal holds a mathematically linked key pair — a public key that anyone can use to encrypt or verify, and a private key the holder uses to decrypt or sign.
Public-key cryptography is what makes passkeys phishing-resistant. The private key never leaves the user's device; the public key is registered with the relying party. A phishing site cannot induce the user to send a credential because there is no shared secret to send — the authentication is a signature proving possession of the private key, scoped to the relying party's domain.
The asymmetry also explains why JWT validation scales: a token signed with the issuer's private key can be validated by any service holding the public key (typically fetched from a JWKS endpoint), no callback to the issuer required per request. That property is what enables stateless validation across distributed systems.
Common questions
What is the difference between a public key and a private key?
Is public-key cryptography the same as asymmetric encryption?
Why are passkeys based on public-key cryptography?
Related terms
In the guides
JWT Explained: JSON Web Tokens, JWT Authentication, and the Pitfalls
JWT (JSON Web Token) is the dominant signed-token format for authentication and API authorization. How JWT tokens are structured, how JWT authentication works in OAuth 2.0 / OIDC, which algorithms to pin, and the recurring vulnerability classes that keep biting implementers.
mTLS Explained: Mutual TLS for Service Identity and API Authentication
Mutual TLS authenticates both sides of the connection. How it works for service-to-service, where SPIFFE/SPIRE fits, and the cert-management pitfalls that bite.
Post-Quantum Cryptography for Authentication: What CIAM Teams Should Do in 2026
When post-quantum cryptography matters for authentication, what NIST has standardized, and the realistic CIAM migration path through 2030.
WebAuthn Explained: How Passkeys Work Under the Hood
WebAuthn is the W3C browser API that powers passkeys. A practical explanation of registration, assertion, RP-IDs, attestation, and the architecture choices that determine adoption.