[Robin_Message]

This is a good writeup and a surprising bug!

For the average web app, it feels like JWT introduces some complexity (and footguns like this) for no real benefit. I mean, you can avoid a session lookup from redis or something, but that's hardly an expensive part of a request. You can always optimise hot, non-session requests (e.g. private image serving can use signed URLs)

Also, you can't revoke sessions ns unless you have a revocation list, in which case, why not just have a session list?!

Genuinely interested in real use cases for JWTs.

[npfries]

One advantage revocation lists have over session lists is that they can be distributed via a bloom filter. Assuming multiple services need to validate against some shared auth service, this can be a significant reduction in round trips.