[hardwaresofton]

Absolutely -- In the end to even invalidate a JWT properly you have to either depend on time (so short-lived tokens + refresh token), or store some sort of blacklist (and then you're back to where you started anyway). The world is probably ready for a microservice that does this that everyone can use -- I saw one on HN a while ago but haven't seen it since.

The big benefit I saw from JWTs was the stateless nature, with the drawback of servers using the same key.

Thanks for the reply! Sleep well.