Looks like jwt token really contains necessary info inside itself and the correctness of this data ensured via cryptographic signatures. Is there any reasons to persist this token somewhere on the server or "issue and forget" policy should be fine?
Asked
Active
Viewed 270 times
1 Answers
1
No, there is no reason to store JWT tokens on the server side. You can validate the token by checking signature. No need to talk to any server.
If the tokens have a short time to live, there's no need to revoke the access token itself.
Refresh tokens on the other hand are stored on the authorization server, have a long time to live and can be revoked.
MvdD
- 22,082
- 8
- 65
- 93