FWIW the token approach has the disadvantage that you can’t revoke tokens that easily and if you want to support a “keep me logged in” checkbox you will have to set the `exp` value rather high.

I’m using a slightly more complicated approach in one of my projects:

• OAuth 2 with access+refresh token
• refresh token: random value save in the database
• access token: JWT

This has the advantage of not doing the database call for most of the requests, but once the access token is expired it will check the database for the refresh token which can be manually revoked.

This approach still gives an attacker the chance of using the access token until it’s expired, but since the `exp` value can be much smaller that risk is reduced quite a bit.