Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If I have to run a separate DB to check for revocations, why not skip JWTs and just use that separate DB for auth directly.


Not an issue for most cases but a cache of revoked tokens is going to be much smaller than a db of all users tokens.


The advantage of redis or similar kv DBs / caches comes in being lighter and faster than a full second database, mostly.

The secondary advantage is you don't need to deal with cookie storage, sticky sessions or anything else along those lines.

If you're manually hand crafting a server, go for it. If you're treating them like cattle not pets, going stateless with a bearer token tends to be easier.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: