jwt Invalidating Json Web Tokens Other common techniques
Example
-
Allow change user unique ID if account is compromised with a new user&password login
-
To invalidate tokens when user changes their password or permissions, sign the token with a hash of those fields. If any of these field change, any previous tokens automatically fail to verify. The downside is that it requires access to the database
-
Change signature algorithm to revoke all current tokens in a major security issue
