[crazy5sheep]

Really, why ppl keep saying JWT cannot be invalid? isn't it simple enough to use a redis bitmap to store the info? each token only takes one bit, how many tokens you can have, 1 Billion? 120MB is more than enough. What you save here is the time and resource you hit the database.

[blattimwind]

If you have a revocation list for JWT tokens, you could just as well just use session IDs, avoiding all issues with JWTs.

[crazy5sheep]

But you can not store anything in your session ID. JWT can carry a small amount of data that's need by my service. I only need to validate JWT and check if it's been invalidated. Then I can go ahead to perform by business logic. I don't want to hit db to get all these data. Yes you can argue why not just store them in redis too, but with JWT I only need One bit.