undefined | Better HN

0 pointsbeckler8y ago0 comments

You can't prematurely expire or invalidate JWT tokens once created, unless you keep a database of tokens, and at that point you should just use sessions because that's basically what it is at that point: A session token with additonal data.

0 comments

013a8y ago

That doesn't mean JWTs are bad; it just means their use case is more restrictive. JWTs are designed for sessions; think Google API tokens that have a validity of 1 hour. If you're using them for anything longer than that, then you'll probably need to back it with a database so you can support revocation, and at that point JWTs make less sense because they're so large.

j / k navigate · click thread line to collapse

0 pointsbeckler8y ago0 comments

0 comments

013a8y ago

j / k navigate · click thread line to collapse