Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Because else how do you handle key revocation?


Which is the point of the post.

If you need to do revocation you need to call an external server.

If you need to call an external server why do JWT?


Because pinging another server for a few bytes of data and offloading that working memory to the client side is much more efficient than storing the session data in server memory in between requests. Furthermore a single coordinating key server can work in conjunction with many micro-services to simplify architecture, security, and hardware requirements.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: