JWT
JWTs are signed tokens that carry claims the server can verify without looking up session state on every request. That makes them attractive for distributed APIs and external identity boundaries. The mistake is expecting a signed blob to solve revocation, permission freshness, or session management by itself.
Minimal Example
const token = jwt.sign(
{ sub: user.id, scope: ["orders:read"] },
process.env.JWT_SECRET,
{ issuer: "dinglandia", audience: "api", expiresIn: "15m" },
);
const claims = jwt.verify(token, process.env.JWT_SECRET, {
issuer: "dinglandia",
audience: "api",
});What It Solves
- Lets services verify identity and coarse claims without a central session lookup on each hop.
- Works well at trust boundaries where issuers and audiences are clearly defined.
- Encodes expiry and issuer metadata directly into the credential.
Failure Modes
- Packing mutable authorization into long-lived tokens and wondering why role changes do not take effect.
- Skipping issuer, audience, or algorithm validation during verification.
- Treating logout as solved when previously issued tokens are still valid until expiry.
Production Checklist
- Keep token lifetime short and validate issuer, audience, expiry, and algorithm every time.
- Store sensitive authorization state server-side if it must change immediately.
- Rotate signing keys and publish key identifiers for verification rollover.
Closing
JWTs are good transport credentials, not a universal session architecture. Use them for what they prove, not for everything you wish they proved.
