All good, but - what about "microservices" architecture? Where several servers cannot validate the cookie session? Do you have a solution other than JWT?
Assuming you need the JWT for user properties because of your decoupled stateless architecture, just have another property on the JWT that holds a key.
Assuming you have a layer in your architecture that all your microservices use for config etc. Redis for example.
The value for that key in Redis could be the token.
This is an odd misconception I keep seeing about microservice architectures. Typically you have a gateway where requests arrive. The gateway verifies the session and forward the user context that it verified to any other systems it needs to contact.
This is how all the big companies that came up with the notion of microservices like Google and Facebook work.
We’re a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.