So if a user’s role changes (e.g. some privileges are revoked), they can still act in their old role until their token expires? Sounds like you have a security issue. Which website is this again?
Privileges for doing anything serious (e.g. perform payments or change security preferences) are not stored in JWT, all checks done on server side.
In case of emergency (e.g. we suspect user session has been taken over) we lock user account and purge session from the backend. Without session on backend - JWT won't do much.
It's a fintech consumer website (sorry, can't disclose the name).
