DEV Community

Discussion on: How to log out when using JWT

kopseng profile image
Carl-Erik Kopseng

The answer is that JWTs are misused and often are the wrong tool for the job. Like any new thing, a lot of people jump on the bandwagon without analyzing how and why this works. I suggest this really good article for the ups and downs of JWTs and what are good use cases. It taught me loads about JWTs and also scaling in general.

Being logged in is a state. Being logged out is another state - with substates: missing login information and having the wrong login information. One token can only meaningfully represent two of those states: present and not present. You need another (stateful) medium to represent the third, if that is required. These are technology independant facts.

The good thing about blacklists is that they represent a FAR smaller state than the number of valid sessions, so you can probably keep those cached in memory. This is due to

  • there are far fewer people explicitly logging out than are logged in
  • since all JWTs used as access tokens should have an expiration date you can clean the cache for old entries all the time

So it's not that bad :)