Hacker News new | ask | show | jobs
by jotato 3 hours ago
> "You cannot invalidate individual JWT tokens". Which every time I've implemented, the general guideline is to check for invalidated nonces somewhere. Which resolves that random blog posts second point too.

100% agree. This is common sense to me and I'm always surprised to re-learn people don't do this
1 comments
hparadiz 2 hours ago
Not checking the signature on every single JWT is the same as storing a password in plain text.
link