T
tRPC

❓-help

How Do I Ban Users & Invalidate Their JWT Tokens?

AAerys12/17/2023
When a malicious user gets banned by an admin, I have to ensure he no longer can access protected routes, but that means I have to query the database every time checking a user's token, is there a more efficient method for invalidating tokens?
Nnlucas12/17/2023
JWTs can’t be invalidated directly, they’re signed and verified offline by the server. So you’d have to maintain a ban-list in a key value store until after the JWT expires, or something similar
Ddylan12/19/2023
you can always store your tokens db side and invalidate them, that's how you can select which tokens to invalidate from which location/device on many apps

Looking for more? Join the community!