This JWT auth has a critical bug

Added: 2026-05-27

[00:00:00]A junior dev shipped this JWT auth, looks clean, has a critical bug. Sign in works, tokens last 30 days, users stay logged in across every visit. Then the security team finds it.

[00:00:11]A user gets banned in the database. They refresh the dashboard and it still loads for the rest of the 30 days.

[00:00:19]The flaw is one word, stateless. JWTs are never checked against your database.

[00:00:25]The server only verifies the signature.

[00:00:27]Banned in the DB, the token doesn't care. It's valid till expiry. Two ways out. One, short access tokens. 15 minutes. A refresh token checks the database before reissuing. Ban hits in 15 minutes, not 30 days.

[00:00:43]Two, a revocation list in Redis. Every request checks if the token's been killed. Ban equals instant logout. Which one would you ship? Drop it below.