DEV Community

loading...

Discussion on: How to invalidate a compromised JWT

Collapse
pazvanti profile image
pazvanti Author

The approach with storing the timestamp of the revocation work really well as long as you only have one JWT for a user/application. However, if for the specified account there are multiple JWTs (for example one used by the user and one by some automated tool), you will revoke both. There are workaround though, I believe, so I still consider your idea to be good :)

Thanks for the suggestion.