This kind of comment might make one wonder why not just use a sessionId to begin... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		cryptica on Dec 27, 2018 \| parent \| context \| favorite \| on: Ask HN: What do you use for authentication and aut... This kind of comment might make one wonder why not just use a sessionId to begin with but JWT in this case is still useful in a microservice arch because a token which has been revoked from one high security microservice may still be valid for lower security microservices: It gives each microservice the option of deciding what kind of security they need to provide... They may not need any revocation list; maybe the JWT on its own is sufficient; they just keep accepting the token until it expires naturally. The token expiry determines the baseline accuracy of banning across all services.

geezerjay on Dec 27, 2018 [–]

> This kind of comment might make one wonder why not just use a sessionId to begin with

JWT and sessionIds are totally different beasts. JWT are used per request, are designed to expire and be refreshed, are specific to each individual endpoint and store authorization info in a specialized third party service.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact