[bmelton]

Token based auth is stateless, so your first assumption stands true -- no need to join them at the hip.

I've tried working with tools like Djangular and whatnot, and no matter how many times I've tried working within that ecosystem, I've always had better results, cleaner and simpler code by keeping the UI and Backend completely separate.

[lfrodrigues]

Token based auth doesn't need to be stateless. In fact in our current implementation it is not.

If you use stateless like JWT (we had this before) you end up having a huge problem: imagine a user wants to logout all the open accounts in different browsers.

How would you handle that? You would need to wait for the expiration of the token, a solution that is not that secure.

[smashed]

One solution is to store the token in localStorage, which supports events.

You can listen for localStorage changes in all your tabs. When it changes, force a page reload or similar.

Edit: typos

[lfrodrigues]

I think you didn't understand the issue. Imagine you want to implement a "logout from all my sessions" like Facebook or Google have (sessions in different devices)