[jehlakj]

Which is probably the most robust and scalable of them all. I was wondering some some services took 30m to an hour to revoke access, and this is the reason why. Only downside is you have to use JavaScript on the browser, which isn’t much of a problem really.

[zaarn]

You don't specifically need JS here.

Any endpoint could automatically update the user session token when it detects it's about to run out and update the cookie that it is stored in.

[jehlakj]

Oh right! I totally forgot that you could use cookies for JWT. It's been a while, but I think the reason why I didn't think of it was because, if you're using cookies to transport jwt, couldn't you just use signed cookies with a set expiration date?