[RustyRussell]

Presumably the macaroon itself contains a shortish timeout.

You can rate-limit (runes do this, which are simplified macaroons) but then the server is no longer stateless. Pretty sure I've ranted about this in HN comments before, could dig it out if you're interested?

[Bluestein]

Would appreciate it if you did, be so kind ...

[RustyRussell]

https://news.ycombinator.com/item?id=39210946

Heres the inline:

See https://github.com/rustyrussell/runes for a simpler alternative and implementation (this has C and Python, but there's also a Rust implementation because why not?)

However, the "no db access" property has proven to be untenable in practice. Users end up wanting to see what runes are issued, blacklist them, know when they were last used, and have rate limits. The last two are a killer, requiring some state to be kept (unless your system allows you to return a modified rune to the user, which is a different workflow from normal bearer creds).