In my flask app, resources are handled with @jwt_required(). A new login creates a new JWT Token. I saved access_token in database and removed old jwt. But i can access the resources with the old jwt token. Is there any process where i can prevent using old jwt?
1 Answers
It is not possible to "destroy" an old token, it remains valid until the date specified during its creation. However, the Flask-JWT library offers the possibility of blocking an old jwt.
To do this you will need to use redis or a database, which will be used by Flask-JWT as an archive to store the revoked tokens
Redis:
If your only requirements are to check if a JWT has been revoked, our recommendation is to use redis. It is blazing fast, can be configured to persist data to disc, and can automatically clear out JWTs after they expire by utilizing the Time To Live (TTL) functionality when storing a JWT.
Database:
If you need to keep track of information about revoked JWTs our recommendation is to utilize a database. This allows you to easily store and utilize metadata for revoked tokens, such as when it was revoked, who revoked it, can it be un-revoked, etc.
In the link I left you you can also find a complete example for both options

- 1,787
- 3
- 13
- 26