> "You cannot invalidate individual JWT tokens". Which every time I've implemented, the general guideline is to check for invalidated nonces somewhere. Which resolves that random blog posts second point too.

100% agree. This is common sense to me and I'm always surprised to re-learn people don't do this

▲

hparadiz 7 hours ago | parent [-]

Not checking the signature on every single JWT is the same as storing a password in plain text.

	▲	Natfan 3 minutes ago \| parent [-]
		worse, it's storing identities in an editable format that any attacker can use to impersonate any user, no?