For number 2, you could expire them by encoding some identifier based off a hash... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		gregpardo on March 14, 2017 \| parent \| context \| favorite \| on: JSON Web Tokens should be avoided For number 2, you could expire them by encoding some identifier based off a hash or key tied to the user object. Change that object and have the server reject the token if that meta data no longer validates.

tracker1 on March 14, 2017 [–]

Or have really short lived tokens, requiring regular refresh, and don't worry about expiring them... you can then delete the refresh token so it can't be found requiring full re-auth if necessary.

OAuth2 + JWT is fine... just whitelist the algorithms you allow and use HTTPS for all communications, even internal.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact