alt Hacker NewsIt really doesn’t seem very hard to have a small invalidation list. Just a redis cache or a simple broadcaster, etc.
Does anyone have an example of how they built a JWT revocation service?
It really doesn’t seem very hard to have a small invalidation list. Just a redis cache or a simple broadcaster, etc.
Does anyone have an example of how they built a JWT revocation service?
See my sibling comment about the "signout from all devices / iat" pattern. This is only a few lines of code.
If you want to be more fancy and fast, you can use bloom filters to check if a token is in a revocation list.