jwt Invalidating Json Web Tokens Other common techniques


  • Allow change user unique ID if account is compromised with a new user&password login

  • To invalidate tokens when user changes their password or permissions, sign the token with a hash of those fields. If any of these field change, any previous tokens automatically fail to verify. The downside is that it requires access to the database

  • Change signature algorithm to revoke all current tokens in a major security issue