Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

5
  • 3
    This is really the best answer since it answers the question, without going into detail on JWT and OAuth tokens. Most of the other answers add more information/context, but make assumptions which result in incomplete explanations and confusing answers. Commented Nov 9, 2022 at 14:34
  • 4
    because JWTs are stateless, the only way to revoke them is with a backing store, in this way the system becomes stateful. The problem is that all services will have to have access to this revokation list to check if the token has been revoked, instead of implicitly trusting the token. Good news is you only need to store the revoked tokens, not all of them, and only until the token was going to expire anyway, making this an efficient compromise. Commented Nov 10, 2022 at 10:04
  • @ChrisSchaller: You only need to search the revoked tokens, but you need to store all of them (until expiration), or else you won't be able to insert into the revocation list. Commented Aug 17, 2023 at 22:03
  • First link (anil-pace.medium.com/json-web-tokens-vs-oauth-2-0-85dd0b32057d) is broken Commented Sep 9, 2024 at 8:24
  • Checkout jwtrevoke.com for managing and revoking JSON Web Tokens (JWTs) efficiently. Commented Dec 27, 2024 at 22:34