When it comes to authentication at web services, JWT offers a simple but effective method. But it also comes with some downsides. Because the tokens are stored within the client, the server normally has no clue how many tokens are in use. Once a user now changes his password or manually wants to invalidate all sessions, it seems as if this exceeds JWT’s capabilities. I have found five ways to keep track of all sessions or at least to have the ability to invalidate all sessions in an uncomplicated way.
This method is the easiest one to think of I…