tl;dr: if you understand why and how to support blacklisting JWTs, then skip to the code.
On a previous post we proposed an approach to using JSON Web Tokens as API Keys, going over some of the benefits of doing so and also providing some examples based on our API v2 scenarios. This post follows up by explaining an aspect that was not covered before: how to blacklist a JWT API key so it is no longer valid.
A real world example
Let's for a second assume that GitHub used JSON Web Tokens as API Keys and one of them was accidentaly published on the web. You would want to make sure an app can no longer access your information by revoking that token:
Framing the problem
Providing support for blacklisting JWTs poses the following questions:
- How are JWTs individually identified?
- Who should be able to revoke JWTs?
- How are tokens revoked?
- How do we avoid adding overhead?
This blog post aims to answer the previous questions by leveraging our experience from implementing this feature in our API v2.Continue →