What does the revocation list look like? "Reject all tokens for user X issued be... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		mwpmaybe on June 13, 2016 \| parent \| context \| favorite \| on: Don't use JSON web tokens for sessions What does the revocation list look like? "Reject all tokens for user X issued before timestamp Y?" Or do you assign UUIDs to your tokens?

numbsafari on June 14, 2016 [–]

I assign a unique ID for each token (the `jti` claim). So each token has a unique identifier and can be invalidated that way, and every token has the user's ID (the `sub` claim), and can be invalidated that way, if that fits your use case.

mwpmaybe on June 14, 2016 | [–]

I read this wrong the first time. That makes sense. Thank you.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact