Aerys
Aerys7mo ago

How Do I Ban Users & Invalidate Their JWT Tokens?

When a malicious user gets banned by an admin, I have to ensure he no longer can access protected routes, but that means I have to query the database every time checking a user's token, is there a more efficient method for invalidating tokens?
2 Replies
Nick
Nick7mo ago
JWTs can’t be invalidated directly, they’re signed and verified offline by the server. So you’d have to maintain a ban-list in a key value store until after the JWT expires, or something similar
dylan
dylan6mo ago
you can always store your tokens db side and invalidate them, that's how you can select which tokens to invalidate from which location/device on many apps