JWT promises stateless authentication and delivers neither. It's a cargo cult that makes your app slower, less secure, and harder to maintain — and almost every developer shipping it has no idea why.
Yeah, I was reading this and thinking "they have a point, if they refer to talking about a personal project. They might have a point in some place where a simple auth and session cookies are enough.
Go into a company infrastructure that has a multitude of different systems (first and third party) and also some identity management system and SSO - now we’re closer to the use case of a JWT. There’s a saying “never roll your own crypto” - that somewhat applies to auth as well. There’s so much that can (and will) go wrong.
They do have a point about token revocation (or the additional round trip for that), but… I’m the scenario above, why would you issue tokens that are valid longer than a day or a few hours??
Yeah, I was reading this and thinking "they have a point, if they refer to talking about a personal project. They might have a point in some place where a simple auth and session cookies are enough.
Go into a company infrastructure that has a multitude of different systems (first and third party) and also some identity management system and SSO - now we’re closer to the use case of a JWT. There’s a saying “never roll your own crypto” - that somewhat applies to auth as well. There’s so much that can (and will) go wrong.
They do have a point about token revocation (or the additional round trip for that), but… I’m the scenario above, why would you issue tokens that are valid longer than a day or a few hours??