[jon-wood]

One thing I've not quite got my head around with JWT is not authenticating tokens with the server on each request - am I really just meant to assume a token is trusted until it's expiry time? What if a user signs out all their sessions in the meantime, or an employee is fired and needs access revoking? As far as I can tell I do just have to use short-lived tokens and renew them frequently but that comes with its own set of problems when doing JavaScript based applications and implicit auth.

[sakopov]

Technically JWTs cannot be revoked once they're issued (they just expire). You have to make sure that you delete the JWT from your preferred storage when you sign a user out and issue JWTs for a short period.

You other option is to allow blacklisting of JWTs per client. However, this will add additional overhead of making an HTTP request to check if a token is blacklisted. That's how Auth0 does it in their commercial OpenId Connect provider.

[arekkas]

That's the trade off. Either you have "real-time" data but need a database roundtrip or you save latency but must accept the downside. However, you can use short token times to mitigate that, something like 10 minutes for example.