System Design News's resource offers insights, tutorials, and resources for software architects and system designers. Readers can learn about system architecture patterns, scalability techniques, and design trade-offs. With articles, case studies, and best practices, System Design News provides  guidance and expertise for designing robust and scalable systems.

System Design Newsletter

The post explains the concept of JSON Web Tokens (JWT) and their structure, as well as their role in user authentication and authorization. It highlights the advantages of using JWT in distributed systems for scalability and ease of managing user sessions across servers. The post also addresses potential security risks associated with JWT and offers tips for mitigating these risks.

The System Design Newsletter

Linear: Issue tracking without the noise - Sponsor

Cool article, I like the storytelling.
For beginners - it would be cool to also describe concept of refresh token.
I’d like to highlight that there are methods to mitigate the risk of attacker with stolen JWT doing bad things. There’s a whole concept of “reuse token detection” and tokens rotation. It also solves this point from article by removing token family from db:
<blockquote>
Yet there’s no way to invalidate a stolen JWT. A workaround is to include the stolen JWT in a denial list on the server.
</blockquote>
For example Auth0 does it:
<a href="https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation" target="_blank" rel="noopener nofollow">https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation</a>