[fontain]

How often do we need to revoke individual JWTs anyway? You solve for cookie theft with short expiry and key compromise by rotating keys. I don’t find the revocation issue very compelling as a reason to ditch JWTs.

[CodeLieutenant]

You have never used "Log me out from everywhere" feature. I've used it. Also it's for I want to change my password and invalidate all sessions.

[dullcrisp]

Is revocation really such a hard problem? Seems you could store a set of revoked tokens in memory and have a background task update it every couple of seconds. I guess it’s a separate set of infrastructure to maintain but I don’t see why it’s always presented as the thing that undermines an entire authentication scheme.

I guess if you need your tokens revoked this millisecond it’ll require an extra synchronous call on every request but that seems like a unlikely requirement. And not that any of this matter for your 10 user app anyway I guess.

[fontain]

I don’t recall ever in my life using that feature on the small number of services that offer it.

[CodeLieutenant]

You have, and so unknowingly. If you change password, this one triggers, you have to login everywhere. e.g Instagram, Facebook, Github etc.