JSON Web Tokens (JWTs) are Not Safe

JSON Web Tokens can be used to validate user locally without the need for a database but then you put yourself at risk for massive security issues.

Randall Degges

Head of Developer Advocacy, Okta

To be clear: This article does not argue that you should never use JWT—just that it isn’t suitable as a session mechanism, and that it is dangerous to use it like that. Valid use cases do exist for them, in other areas.

Sven Slootweg

Cryto.net, Stop Using JWT for Sessions

I don’t care if you want to use stateless client tokens. They’re fine. You should understand the operational limitations (they may keep you up late on a Friday scrambling to deploy a token blacklist), but, we’re all adults here, and you can make your own decisions about that. The issue with JWT in particular is that it doesn’t bring anything to the table, but comes with a whole lot of terrifying complexity. Worse, you as a developer won’t see that complexity: JWT looks like a simple token with a magic cryptographically protected bag-of-attributes interface. The problems are all behind the scenes.

Thomas H. Ptacek

a well-known security researcher on Hacker News