In this book, we go into JWTs, their perceived benefits, and actual dangers. We’ll also discuss battle-tested solutions to replace them. We’ll explore:
You will also receive a link to this document at the email address you provided. Browse additional resources from our library of Case Studies, Benchmarks, and more!
JSON Web Tokens can be used to validate user locally without the need for a database but then you put yourself at risk for massive security issues.
Head of Developer Advocacy, Okta
To be clear: This article does not argue that you should never use JWT—just that it isn’t suitable as a session mechanism, and that it is dangerous to use it like that. Valid use cases do exist for them, in other areas.
Cryto.net, Stop Using JWT for Sessions
I don’t care if you want to use stateless client tokens. They’re fine. You should understand the operational limitations (they may keep you up late on a Friday scrambling to deploy a token blacklist), but, we’re all adults here, and you can make your own decisions about that. The issue with JWT in particular is that it doesn’t bring anything to the table, but comes with a whole lot of terrifying complexity. Worse, you as a developer won’t see that complexity: JWT looks like a simple token with a magic cryptographically protected bag-of-attributes interface. The problems are all behind the scenes.
Thomas H. Ptacek
a well-known security researcher on Hacker News