[anon1252]

> Traversing a list of 100,000 users/sessions in a db to pull up the session is a different beast compared to traversing an in memory list of 10-100 revoked JTIs in redis. It is a lot less data to store and optimize (the full session vs. a small list of revoked JTIs)

I don't see why one can't use redis to persist sessions at first place and why your list of revoked token would be limited to 100.

[finder83]

It does depend on how many users you have and your TTL for the JWT, but if you have a 10 minute time to live, you only need to store the revocations for 10 minutes in redis since otherwise the tokens themselves expire. (Just an example, sub 10 minutes with 24 hours or whatever)

[luhn]

It's not explicitly limited to 100, but only a small portion of tokens will be revoked, so your revocation list will be small.