4th of 4 Questions.
How do you revoke JWTs?
Revoke JWTs by introducing a stateful revocation layer using a token blacklist (JTI), user versioning, or short-lived tokens with refresh token rotation.
Because JWTs are stateless, they cannot be revoked directly. Practical revocation strategies involve adding a small stateful component. The most common methods are: (1) Token blacklist – store revoked token identifiers (JTI) in a fast cache like Redis; (2) User versioning – increment a version number in the user record and include it in the JWT; (3) Short-lived access tokens (5–15 minutes) with refresh token rotation – revoke the refresh token, forcing re-authentication. For massive scale, combine blacklist with versioning and short lifetimes to minimize the revocation window.
JWT Revocation with User Version (Pseudocode)