What is the hybrid JWT + refresh token approach?
Use a short-lived JWT (15 min) for access. Use a long-lived refresh token (7 days, stored in DB) to get new JWTs. Best of both worlds: stateless access, revocable refresh. To log out a user, delete their refresh token.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in JWT vs Session Cookies: Which to Use
Sessions for single web apps where you want easy revocation and the simplest secure setup. JWT for microservices, SSO, and mobile where you need stateless auth. Both work; choose by use case.
The server does not store sessions. The token carries all the info (userId, role, expiry) and is signed so it cannot be tampered with. The server verifies the signature on each request, without a session lookup. This makes horizontal scaling easy.
Because the server does not store sessions. The token is valid until it expires. To revoke early, you need a blacklist (defeats stateless) or short expiry with refresh tokens (revocation at the refresh level).
Still have questions?
Browse all our FAQs or reach out to our support team
