> "But isn't blacklisting stateful in its nature and thus achieving the opposit of what JWTs are for?"
JWTs are really just the format, and you can store them however you want to.
What you want is to avoid having to query a centralized database or datastore for every request. (1)
It's hard, but doable, to design a blacklisting scheme that does not depend on a centralized db (2). This way you can have your cake and eat it too. You avoid the "ask the database for every request" scenario. People will counter with "but you query the database for every request anyway" to which I answer: "No, I do not" :)
1: Well, that depends on your app and usecase, of course
2: Basically you push the blacklist, which is short, out to everything that needs it. It gets complicated =/
JWTs are really just the format, and you can store them however you want to.
What you want is to avoid having to query a centralized database or datastore for every request. (1)
It's hard, but doable, to design a blacklisting scheme that does not depend on a centralized db (2). This way you can have your cake and eat it too. You avoid the "ask the database for every request" scenario. People will counter with "but you query the database for every request anyway" to which I answer: "No, I do not" :)
1: Well, that depends on your app and usecase, of course
2: Basically you push the blacklist, which is short, out to everything that needs it. It gets complicated =/