What's the difference between JWT and sessions?

Sessions are server-side, JWT is client-side. Sessions store user data in Redis/database, JWT stuffs it all in the token. JWT scales better because there's no session store to hit, but you can't revoke tokens easily. Pick your poison.

How long should tokens last?

15 minutes max. I know, I know, your users will hate re-authenticating constantly. But when someone's laptop gets stolen and you can't revoke their tokens, you'll understand why short expiration matters. Use refresh tokens to make it less painful.

How do I revoke a JWT? (The eternal question)

You can't. That's the whole point - they're "stateless." But everyone asks this because logout is a pretty basic feature. Your options: - Blacklist tokens in Redis (welcome back to stateful hell) - Make tokens expire fast and deal with refresh token complexity - Add a `jti` claim and track revoked IDs - Bump user version numbers and include them in tokens

Can I put sensitive data in the JWT?

Hell no. JWT is just base64 encoding, not encryption. Anyone can decode it with a simple online tool. Only put user IDs, roles, expiration - nothing you wouldn't want printed on a t-shirt.

Someone stole my JWT, now what?

Game over until it expires. That's why I keep saying make them expire in 15 minutes. You can: - Hope it expires soon - Blacklist it (if you have that infrastructure) - Force the user to re-login everywhere - Learn why sessions might have been better for this use case

Which algorithm should I use?

HS256 for simple stuff, RS256 if you need public/private key separation. Don't overthink it. The algorithm choice won't save you from storing tokens in localStorage or forgetting to validate expiration.

Where do I store JWTs in my React app?

Not in localStorage - that's XSS bait. Memory is safer but gets wiped on refresh. httpOnly cookies are probably your best bet: ```javascript // In-memory storage (gets wiped on refresh, but safer from XSS) let accessToken = null; // Interceptor to add token to requests axios.interceptors.request.use((config) => { if (accessToken) { config.headers.Authorization = `Bearer ${accessToken}`; } return config; }); // Handle 403s by trying to refresh axios.interceptors.response.use( (response) => response, async (error) => { if (error.response?.status === 403) { // Try refresh token (stored in httpOnly cookie) const refreshResponse = await fetch('/auth/refresh', { method: 'POST', credentials: 'include' // Sends httpOnly cookie }); if (refreshResponse.ok) { const { accessToken: newToken } = await refreshResponse.json(); accessToken = newToken; // Retry original request return axios.request(error.config); } } return Promise.reject(error); } ); ```

Can I share JWTs between services?

Sure, if you want every service to have the same secret and trust level. Usually a bad idea - use service-specific tokens or accept that your auth boundaries are fuzzy.

How do I implement logout with JWT?

You don't. Not really. JWT logout is like "stateless sessions" - an oxymoron. Your options all suck: - Blacklist tokens in Redis (now your stateless auth needs a database) - Clear client-side storage and pray the token expires soon - Keep a server-side session alongside your JWT (why did we use JWT again?) - Make tokens so short-lived that logout doesn't matter (refresh token hell)

Slower than session lookups, especially with RSA signatures. HMAC is faster but every request still does crypto. In production, I've seen JWT add 1-3ms per request vs 0.1ms for Redis session lookups. Caching helps but defeats the stateless purpose.

Should I use JWT for microservices?

Maybe. If you like passing tokens through 5 services and debugging why service D can't call service E with user context from service A. mTLS is often simpler for internal service auth.

How do I rotate JWT keys without breaking everything?

Support multiple keys at once, include `kid` (key ID) in headers, and pray your key management doesn't shit the bed during rotation. Test the rotation in staging first because you'll definitely break something in prod.

Currently viewing the AI version

Switch to human version

JWT (JSON Web Tokens) - AI-Optimized Technical Reference

Overview

JWT is a token-based authentication standard (RFC 7519) that embeds user data directly in the token instead of server-side storage. Primary trade-off: horizontal scalability vs. token revocation impossibility.

Critical Failure Modes

Token Revocation Impossibility

Problem: JWTs cannot be revoked once issued
Impact: Compromised tokens remain valid until expiration
Consequence: Stolen laptops/devices can maintain unauthorized access for token lifetime
Mitigation: 15-minute maximum expiration (industry learned standard)

Algorithm Confusion Attacks

Vulnerability: Attackers change algorithm from RS256 to HS256, using public key as HMAC secret
Frequency: Common enough to be mentioned in every security guide
Real incident: Startup with public key in repo - 10 minutes to forge admin tokens
Fix: Always specify allowed algorithms in verification code

"None" Algorithm Bypass

Attack: Setting alg: "none" makes unsigned tokens valid
Real incident: Fintech company - intern accessed any account by removing signature
Impact: Complete authentication bypass

Technical Specifications

Structure

header.payload.signature (three base64-encoded parts)

Performance Impact

Size: 400-800 bytes vs 32 bytes for session IDs
CPU overhead: 1-3ms per request vs 0.1ms for Redis session lookup
Scale threshold: Noticeable at 1000+ requests/second

Critical Claims

exp (Expiration): Must be ≤15 minutes (security requirement)
sub (Subject): User ID - primary key reference
iat (Issued At): Debug timestamps (timezone issues common)

Configuration That Works in Production

Secret Requirements

Minimum: 32 random bytes for HS256
Common failure: "secret", "password123", or hardcoded values
Storage: Environment variables only, never in code

Verification Code (Node.js)

jwt.verify(token, secret, {
  algorithms: ['HS256'],        // NEVER trust header
  audience: 'api.myapp.com',    // Prevent cross-service reuse
  issuer: 'auth.myapp.com',     // Verify issuer
  maxAge: '15m'                 // Double-check expiration
});

Storage Security

Never: localStorage (XSS vulnerability)
Better: httpOnly cookies with secure, sameSite flags
Best: In-memory storage with refresh token pattern

Resource Requirements

Implementation Time

Simple setup: 1-2 days
Production-ready with security: 1-2 weeks
Microservices integration: 2-4 weeks (token passing complexity)

Expertise Required

Understanding of crypto signatures
Knowledge of web security (XSS, CSRF)
Debugging skills for timestamp/timezone issues

Infrastructure Costs

Stateless benefit: No session storage needed
Reality: Redis instance for token blacklisting (defeats stateless purpose)
Scaling: Linear CPU cost increase per request

Critical Warnings

What Documentation Doesn't Tell You

Logout is fake - JWT logout cannot truly revoke tokens
Debugging is painful - "invalid token" errors with no context
Timezone hell - Docker containers with different timezones break iat validation
Library version traps - PyJWT 2.0+ requires explicit audience validation (breaking change)

Breaking Points

UI debugging limit: Becomes "nightmare" with complex token chains
Token chain complexity: Service-to-service calls become "relay race"
Memory pressure: Token caching defeats stateless benefits

Hidden Costs

Human time: Extensive debugging sessions (3+ hours common)
Security audit failures: Every vulnerability mentioned appears in production
Migration pain: Moving from sessions requires complete auth rewrite

Decision Criteria

When JWT is Worth It

Mobile APIs (cookies don't work well)
Microservices with scaling requirements
Third-party API integration
Horizontal scaling requirements

When Sessions are Better

Web applications requiring logout
High-security applications (banking)
Internal admin tools
When simplicity matters more than scale

Trade-off Matrix

Factor	JWT	Sessions
Scalability	Excellent	Database-limited
Security	Complex	Simpler
Logout	Impossible	Works
Debugging	Difficult	Straightforward
Infrastructure	Eventually needs Redis	Needs session store

Library Recommendations

Production-Tested Libraries

Node.js: jsonwebtoken (battle-tested, extensive Stack Overflow support)
Python: PyJWT (solid, watch for version breaking changes)
Java: Spring Security JWT (if using Spring Boot ecosystem)

Libraries to Avoid

Custom implementations (never roll your own crypto)
Libraries without explicit algorithm specification support
Any library supporting "none" algorithm by default

Common Implementation Patterns

Refresh Token Pattern

Access token: 15 minutes (in memory)
Refresh token: 1-7 days (httpOnly cookie)
Automatic refresh on 403 responses

Blacklist Implementation

// Redis blacklist for "stateless" tokens
const blacklisted = await redis.get(`blacklist:${tokenId}`);
if (blacklisted) return false;

Microservices Token Passing

Include user context in service-to-service calls
Alternative: mTLS for internal communication (often simpler)
Key rotation requires multi-key support with kid headers

Operational Intelligence

Monitoring Requirements

Token validation failure rates
Blacklist hit rates (if implemented)
Token size distribution
Refresh token usage patterns

Incident Response

Token compromise: Wait for expiration (15 minutes max)
Secret compromise: Immediate rotation required, expect downtime
Algorithm confusion detected: Emergency deployment with explicit algorithm validation

Migration Considerations

Sessions → JWT: Complete authentication rewrite required
JWT → Sessions: User re-authentication required
Cross-service migration: Coordinate deployment across all services

JWT (JSON Web Tokens) - AI-Optimized Technical Reference

Overview

Critical Failure Modes

Token Revocation Impossibility

Algorithm Confusion Attacks

"None" Algorithm Bypass

Technical Specifications

Structure

Performance Impact

Critical Claims

Configuration That Works in Production

Secret Requirements

Verification Code (Node.js)

Storage Security

Resource Requirements

Implementation Time

Expertise Required

Infrastructure Costs

Critical Warnings

What Documentation Doesn't Tell You

Breaking Points

Hidden Costs

Decision Criteria

When JWT is Worth It

When Sessions are Better

Trade-off Matrix

Library Recommendations

Production-Tested Libraries

Libraries to Avoid

Common Implementation Patterns

Refresh Token Pattern

Blacklist Implementation

Microservices Token Passing

Operational Intelligence

Monitoring Requirements

Incident Response

Migration Considerations

Related Tools & Recommendations

OAuth2 JWT Authentication Implementation - The Real Shit You Actually Need

OAuth 2.0 - Authorization Framework Under Siege

OAuth 2.0 Security Hardening Guide

SAML Identity Providers: Pick One That Won't Ruin Your Weekend

Firebase Alternatives That Don't Suck - Real Options for 2025

Firebase Alternatives That Don't Suck (September 2025)

Supabase vs Firebase Enterprise: The CTO's Decision Framework

Which JavaScript Runtime Won't Make You Hate Your Life

Build Trading Bots That Actually Work - IB API Integration That Won't Ruin Your Weekend

Claude API Code Execution Integration - Advanced Tools Guide

Thunder Client Migration Guide - Escape the Paywall

Fix Prettier Format-on-Save and Common Failures

Keycloak - Because Building Auth From Scratch Sucks

RAG on Kubernetes: Why You Probably Don't Need It (But If You Do, Here's How)

GitOps Integration Hell: Docker + Kubernetes + ArgoCD + Prometheus

Kafka + MongoDB + Kubernetes + Prometheus Integration - When Event Streams Break

Get Alpaca Market Data Without the Connection Constantly Dying on You

Fix Uniswap v4 Hook Integration Issues - Debug Guide

How to Deploy Parallels Desktop Without Losing Your Shit

Jsonnet - Stop Copy-Pasting YAML Like an Animal