Hacker News new | past | comments | ask | show | jobs | submit login

I'm the original author. There are several reasons:

- The cookie payload if you're using stateless JWTs will often be > 4kb, meaning you can't store the JWT in a cookie. - You get no benefit from doing it this way since it is more complex to use JWTs than plain old session cookies. - You will still need centralization regardless if you want to support token revocation.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact