Yes. Revocation is painful with all of the stateless approaches; it's not on its... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		tptacek on Aug 25, 2021 \| parent \| context \| favorite \| on: API Tokens: A Tedious Survey Yes. Revocation is painful with all of the stateless approaches; it's not on its own a reason to avoid JWT. On the other hand, the folkloric draw of JWT is that it's stateless, and they're only stateless if you can revoke them without issuing SQL queries.

initplus on Aug 25, 2021 [–]

A downside of stateful auth is the extra DB round trip on every request.

Different revocation techniques like periodically distributing a revocation list to your auth services can resolve that part of the issue.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact