First off, apologies, this answer got rather long.
If you use RSA to sign your tokens, and a connecting client is a web browser, the client will never see the RSA keys (public or private). This is because the client presumably doesn’t need to verify that the JWT is valid, only the server needs to do that. The client just holds onto the JWT and shows it to the server when asked. Then the server checks to make sure its valid when it see’s the token.
So why might you need a public / private key combo for JWT’s? Well first off, you don’t need to use a public / private key algorithm.
You can sign JWT’s with a number of different algorithms, RSA being one of them. Other popular choices for signing your JWT’s are ECDSA or HMAC algorithms (the JWT standard supports others as well). HMAC, specifically, is not a public / private key scheme. There’s just one key, the key, which is used to both sign and validate the tokens. You can think of this as using the private key for both signing and validating the JWT’s. I’m not an expert on this by any means, but here’s the conclusions I came to from doing my own research recently:
Using HMAC is nice because it’s the fastest option. However, in order to validate the JWT’s, you need to give someone the one key that does everything, Sharing this key with someone else means that that person could now also sign tokens and pretend like they’re you. If you’re building multiple server applications that all need to be able to validate your JWT’s, you might not want every application to have the ability to sign tokens as well (different programmers might be maintaining the different applications, sharing the signing ability with more people is a security risk, etc). In this case, it’s better to have one, tightly controlled private key (and one app that does the signing) and then share the public key around with other people to give them the ability to validate the tokens. Here, the private key is used for signing the tokens, and the public key is used for validating them. In this case you’d want to choose RSA or ECDSA.
As an example, you might have an ecosystem of apps that all connect to
the same database. To log users in, each app sends folks to one,
dedicated, ‘logging in’ app. This app has the private key. The other
apps can verify that the person is logged in using the public key (but
they can’t log people in).
The research I’ve done points to RSA being the better option for most JWT apps in this scenario. This is because your app will be, theoretically, validating tokens frequently. RSA is much faster then ECDSA at verification. ECDSA is primarily nice because the keys are smaller in size. This makes it better for HTTPS certificates because you need to send the public key to the client’s browser. In the JWT scenario though, the keys are staying on a server so the storage size is n/a and the verification speed is more important.
Conclusion: if you’re building a small app without multiple smaller ‘micro-service apps’ / you’re the only developer, probably choose HMAC to encrypt your keys. Otherwise, probably choose RSA. Again though, I’m not an expert, just someone who recently googled this topic, so take this with a grain of salt.