JWT is a scam and your app doesn't need it
The article critiques JSON Web Tokens (JWT), arguing that they do not provide the promised benefits of stateless authentication. It claims that JWTs create more problems than they solve, including issues with token invalidation and security. The author suggests that simpler and more secure alternatives exist for managing authentication in applications.
- ▪JWTs cannot be invalidated before they expire, leading to potential security risks.
- ▪Using refresh tokens as a workaround for long-lived JWTs complicates the authentication process.
- ▪The author advocates for simpler solutions, such as using bearer tokens stored in a database.
Opening excerpt (first ~120 words) tap to expand
JWT is a scam and your app doesn't need it JWT promises stateless authentication and delivers neither. It's a cargo cult that makes your app slower, less secure, and harder to maintain — and almost every developer shipping it has no idea why. Published 2026-05-23 · 9 min read · 2,080 words · #auth#security#architecture#jwt#rant · PGP Verified On this page what JWT actually is, and what the pitch wasyou cannot invalidate a JWT. you just can't.refresh tokens are a confessionthe per-request cost is real and people lie about itthe frontend "verification" nobody has ever shippedencrypted JWT (JWE) is even more nonsensical"just put the JWT in an httpOnly cookie""no system is stateless" — please stop pretendingwhat to ship instead"but I'm building an…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Dusan Malusev.
Discussion
0 commentsMore from Dusan Malusev
