DEV Community


Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

samjakob profile image
Sam (NBTX)

Gotcha! That all makes sense and I understand the approach but really this is my sorta quandary when it comes to JWTs, like you said:

I do not know if this is the best answer and I am not sure how I feel about giving access for a short period of time even if I have revoked the refresh_token but I have read about people using this approach. So, in the end, you are making DB calls but they are not on every request, you make DB calls only when the acess_token expires.

I feel like it ends up being essentially a glorified session token simply because the access period is so low you might as well just check it on every request. (The idea of having it available for a short period after revocation - no matter how long - really doesn’t sit well.)

I feel like there’s a use case for JWT but it certainly isn’t a be-all-end-all to simply replace the session token in all cases.

Forem Open with the Forem app