| ▲ | elcritch 7 hours ago | |
It really doesn’t seem very hard to have a small invalidation list. Just a redis cache or a simple broadcaster, etc. Does anyone have an example of how they built a JWT revocation service? | ||
| ▲ | littlecranky67 7 hours ago | parent [-] | |
See my sibling comment about the "signout from all devices / iat" pattern. This is only a few lines of code. If you want to be more fancy and fast, you can use bloom filters to check if a token is in a revocation list. | ||