Hacker News new | past | comments | ask | show | jobs | submit login

We keep our ID blacklist in something like Redis. For how rarely we need to add clients to it, the switch to simple-state JWTs has made noticeable improvements to the speed of our API, especially during higher usage times where our Postgres DB bogs down a bit.

So I'd say the advantage really varies by where you're coming from.




You could even switch what you have in redis to a bloom filter if the space of revocation tokens gets large (which it shouldn't).

You don't need to support a database online if you're just checking for membership in a small finite set.


Exactly, the database solution is overkill for tokens that are revoked prior to their expiration.


You also just do it in Varnish/Nginx/etc and stick that in front of the application server entirely.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: