Facebook Pixel

How do I revoke a JWT on logout?

Use short expiry so the window is small. For real revocation, use a refresh token (stored in DB) and delete it on logout. The access token expires in 15 min anyway. Without refresh tokens, you cannot truly revoke a JWT before expiry without a blacklist.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in Common JWT Mistakes (and How to Avoid Them)

Storing in LocalStorage, no expiry, sensitive data in payload, jwt.decode instead of verify, weak secret, no expired token handling, no revocation on logout, same secret across envs, no algorithm verification, and big payloads.

LocalStorage is open to XSS. Any script (including injected ones) can read it and send the token to an attacker. Use an httpOnly, secure, sameSite cookie. Scripts cannot read it.

jwt.decode just reads the payload without checking the signature. An attacker can forge a token with any payload. jwt.verify checks the signature and expiry, so forged tokens are rejected.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.