jwt Invalidating Json Web Tokens Token blacklist


Mark invalid tokens, store until their expiration time and check it in every request.

Blacklist breaks JWT statelessness because it requires maintaining the state. One of the benefits of JWT is no need server storage, so if you need to revoke tokens without waiting for the expiration, think also about the downside

Manage the blacklist

The blacklist can be easily managed in your own service/database. The storage size probably would not be large because it is only needed to store tokens that were between logout and expiry time.

Include the full token or just the unique ID jti. Set the iat (issued at) to remove old tokens.

To revoke all tokens after updating critical data on user (password, permissions, etc) set a new entry with sub and iat when currentTime - maxExpiryTime < last iss‚Äč. The entry can be discarded when currentTime - maxExpiryTime > lastModified (no more non-expired tokens sent).