To JWT or not to JWT
Why JWT is not a one-size-fits-all solution.
© like_the_grand_canyon
on Flickr (CC-BY-NC)
A Base64URL-encoded string with three parts: header, payload, and signature
Encryption (JWE) is possible, but signed tokens (JWS) are the standard
Marketed as stateless — but revocation always adds state
Why you might want JWT
- Third-party identity providers (e.g., Auth0, Okta) give you a JWT
- Save database queries by storing profile info or permissions in the token
- Increased token size impacts every request
- Benefit disappears if you're hitting the user table anyway
- Supports offline mode for Mobile/Desktop apps
- Without profile data, a simple opaque token is often better
JWTs are immutable – data remains "valid" until expiration, even after the data changes server-side
Stateless revocation is impossible – locking users out requires a blocklist, adding back the complexity you wanted to avoid
Implementing "Log out from all devices" requires tracking state, defeating the purpose
- Use JWT if required by third-party providers
- Prefer Session/Cookie Auth for Web Apps
- Use Opaque Tokens for Mobile and Desktop Apps
Benedikt Bauer
Beyonder GmbH