ReallySimpleJWT icon indicating copy to clipboard operation
ReallySimpleJWT copied to clipboard

Published 20 hours ago verified publisher icon RobDWaller

Destroying the active token

Open emresaracoglu opened this issue 4 years ago • 1 comments

Hello,

I want to expire/kill a currently active Token. Is this possible?

Thank you for your work!

emresaracoglu avatar Oct 20 '21 14:10 emresaracoglu

Old question, but I figured I'd answer. A JWT token typically isn't stored and therefore can't be revoked. You can, however, store valid tokens (for example in a database for the particular user) which can then be validated on each access. This kind of defeats one of the benefits of a JWT token (low server-side load as it doesn't require a database to validate), but does accomplish your goal.

The more typical way this is accomplished is to create both a standard JWT token and a refresh token, which is only sent when refreshing the JWT token. This refresh token is stored in a database and validated. This way, you can revoke a user by deleting the refresh token from the database. This allows for the low-overhead and no database needed benefits of a JWT token, but you can revoke a user's connection by deleting the refresh token.

teckel12 avatar Feb 14 '24 21:02 teckel12