4
JWT is a scam and your app doesn't need it (www.dusanmalusev.dev)
submitted 2 days ago by rssbot@lemmy.bestiver.se to c/hackernews@lemmy.bestiver.se
2 comments fedilink hide all child comments

Comments

you are viewing a single comment's thread
view the rest of the comments
[-] elvith@feddit.org 7 points 2 days ago

Yeah, I was reading this and thinking "they have a point, if they refer to talking about a personal project. They might have a point in some place where a simple auth and session cookies are enough.

Go into a company infrastructure that has a multitude of different systems (first and third party) and also some identity management system and SSO - now we're closer to the use case of a JWT. There's a saying "never roll your own crypto" - that somewhat applies to auth as well. There's so much that can (and will) go wrong.

They do have a point about token revocation (or the additional round trip for that), but... I'm the scenario above, why would you issue tokens that are valid longer than a day or a few hours??

this post was submitted on 23 May 2026
4 points (64.3% liked)

Hacker News

4900 readers
440 users here now

Posts from the RSS Feed of HackerNews.

The feed sometimes contains ads and posts that have been removed by the mod team at HN.

Source of the RSS Bot

founded 2 years ago
MODERATORS
patrick@lemmy.bestiver.se
rssbot@lemmy.bestiver.se