It’s a web application, hosted on a server. The concern is that somehow the payload could be intercepted if the private key is exposed. I’m aware this is a more general concern with javascript encryption, but asking in case there is a more secure practice for authenticating a web app from Discourse.