[michaelt]

  How does it matter how many tokens are in the blacklist?

If you're authentication something internal to a company, like the link between the website and the order status backend, there may be literally one user with one token.

In this case, the list of revoked tokens will take little space, and update very rarely!

If you're authenticating users logging into your website and you decide user logouts should be implemented by token revocation, you're going to have a great many revoked tokens - perhaps within an order of magnitude of the number of active users you have.

I suspect a lot of the disagreement here is between people who are thinking of different situations.

[throwawaymath]

What you’re describing - a microservice architecture - is actually a legitimate use case for JWT. I would say that’s an example of sound authentication, but it’s not session authentication, which is what’s being talked about here. Microservices authenticating and communicating with one another don’t utilize the concept of sessions in the sense that clients (users) and servers do.

For that reason I don’t know that it’s fair to say the disagreement throughout this thread is due to people talking about different things. Microservice authentication notwithstanding, session management is not optimally handled by JWT.