[robotdan]

Many prevailing strategies simply persist the JWT, this works, but is more difficult to scale and sort breaks the portability idea in my opinion.

Once you persist it - you might as well be using a session. I suppose it depends on your scale - maybe with just a couple of thousand users it would work ok to store every JWT issued for their lifespan.

[jakelazaroff]

Are people really running into such terrible scaling issues with their session database that the solution is to ditch it and use an entirely different authentication strategy? It's not like we haven't been scaling databases for decades!

I agree that persisting the JWT means you may as well be using a session, but my takeaway from that is that you should just use a session, not come up with more weird workarounds to justify JWTs.

[brokenwren]

Randall Degges has a blog post on this. It's pretty good actually: https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-...

[robotdan]

I'd say it is always good to have options. If sessions work, that is a safe option and easy to manage state.

If at scale this option doesn't work - or at least not as well as you'd like, additional strategies are good to know.

If you plan for Pokemon Go, or Fornite scale, decoupling may be beneficial. Admittedly this is a small percentage of all of the use cases.