Hacker News new | past | comments | ask | show | jobs | submit login

If I have to run a separate DB to check for revocations, why not skip JWTs and just use that separate DB for auth directly.



Not an issue for most cases but a cache of revoked tokens is going to be much smaller than a db of all users tokens.


The advantage of redis or similar kv DBs / caches comes in being lighter and faster than a full second database, mostly.

The secondary advantage is you don't need to deal with cookie storage, sticky sessions or anything else along those lines.

If you're manually hand crafting a server, go for it. If you're treating them like cattle not pets, going stateless with a bearer token tends to be easier.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: