One advantage of JWT that I never realized: session tokens are stored client side, saving network calls to validate them.

Very cool. Love it.

Excuse me sir, this is a ranting site. You're supposed to be angry and ranting.

Thank you, come again.

Unfortunatelly, you still should make that call validating your token in the backend. Jwt should be looked up in the revocation list.

@netikras that's fair enough, I hadn't really thought of that, but the advantage over typical tokens is still pretty massive because of the short life of an access token and the ability to validate whether or not they've expired w/o db call

At the point a token is revoked, you can just hash it and put it into a table along with the token's expiry date. Whenever a token is used, check that it isn't in this table. Table cleanup can be aggressive, because any expired token wouldn't pass the first step of validation. So even for an enormous company with lots of login activity I don't see this table, or its lookups, getting very large at all