I made a post yesterday asking how to encrypt JWTs and I have managed to get it all working.

However, I noticed that tokens do not have to be encrypted. If tokens are not encrypted then the TokenDecryptionkey is completely ignored and the user is authenticated with no issues.

Is there any property I am missing in my code below which would allow me to reject any non-encrypted tokens?

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.TokenValidationParameters = new TokenValidationParameters { // validate server that created token ValidateIssuer = true, ValidIssuer = Configuration["Jwt:Issuer"], // check if recipient of token is authorized ValidateAudience = true, ValidAudience = Configuration["Jwt:Issuer"], // check if key used to sign token is known to server ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Signingkey"])), // check if token has expired ValidateLifetime = true, RequireExpirationTime = true, ClockSkew = TimeSpan.Zero, // enable decryption of the token using same secret TokenDecryptionKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Secret"])), }; }); 

Thank you for any help or checking out the code :)