Stop using JWTs. GitHub Gist: instantly share code, notes, and snippets.

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

JWTs are not suitable for managing user sessions in web applications. The JWT spec was designed only for very short-lived tokens, stateless authentication is inherently insecure without significant infrastructure, and the spec itself has known security flaws that experts distrust. Regular cookie-based sessions are a more secure, flexible, and well-supported alternative. For cases requiring short-lived signed tokens, PASETO is recommended as a more secure alternative. Common misconceptions — such as Google using JWTs for sessions or stateless being inherently better — are addressed and debunked.