Very solid article!

In my auth system I’m using short lived JWT tokens and never expiring refresh tokens.

The JWT expires in 1h or less, can’t be revoked or blacklisted. Blacklisting would require some lookup on the server side and it would be basically the same as using a stateful session.

The refresh token never expires and can be used to get a new JWT token. However you can revoke the refresh token.

With this solution you have a practically never expiring session, and you’re still using stateless JWT validation, and you can revoke access.

I hope it helps.

Show your support

Clapping shows how much you appreciated Tamas Polgar’s story.