[hunterb123]

The redis cache with invalidated tokens will be much smaller than storing all sessions.

And you can expire the invalidated keys faster (set the invalidated key expiration to the expiration of the JWT)

Not many people revoke sessions, but a lot of people create sessions. Much more efficient to only store and check revocations. The rest can be stateless.

[szastamasta]

I don't think that biggest issue with central auth database is its size.

[moduspol]

It depends on your scale, but even at small scale, your central auth database is something that needs to be highly available because your whole system is down otherwise.

Obviously the situation is the same when managing a token blacklist if you truly have a hard requirement that sessions be instantly invalidated at a specific point, but there's a good chance you don't. Maybe it's OK to presume signed tokens are still good for some amount of time if your blacklist server is unreachable, or maybe waiting until the JWT expires after 60 minutes is too long, but a one or two minute delay is acceptable. Or maybe you only check the blacklist for high-risk API requests.

It's not ideal. Invalidation is definitely a weakness of JWTs, but there's still a lot of value in baseline statelessness.