• Category: Pulse
  • Status: discussion
  • Sources: gist, discussion
  • Summary: A widely shared gist argues against using JSON Web Tokens for sessions, favoring opaque server-side session identifiers for revocation and simplicity. The thread rehearsed the standard tradeoffs: stateless scaling and cross-service verification for JWTs versus immediate revocation and smaller attack surface for server sessions.
  • Comments: HN commenters largely agreed that JWTs are misused for sessions but defended them for short-lived, service-to-service authorization where revocation matters less.

Send feedback on this story