Is there away to revoke user's jwt token?

I am wondering what would be the recommended way of revoking a jwt token returned in the response of the authentication API /auth/local .

System Information
  • Strapi Version: 3.2.5
  • Operating System: Windows 10
  • Database: mysql
  • Node Version: 14
  • NPM Version: 6
  • Yarn Version:

JWT have a default expire date of 30 days.

Currently there is no way to revoke a JWT without revoking all users by changing the JWT_SECRET and restarting the server (which makes the JWT invalid).

Beyond that you would need to introduce a JWT “whitelist” or “blacklist” which Strapi doesn’t offer natively (yet). Where when a new JWT is issued you add it to a “whitelist” and implement your own /auth/logout function to remove it from this list. Likewise it would probably be a good idea to check if an expired token is used it is automatically removed from the “whitelist”

A “blacklist” would be a bit easier to implement but could quite quickly run out of control without regularly cleaning.

1 Like

Blacklisting using something like Redis, with a key expiry time set to shortly after the JWT’s own expiry seems to work well and is pretty much self-maintaining, unless you anticipate huge numbers of revocations. Revocation checks using Redis are acceptably fast also (at least for me).


Great suggestion, yeah if you plan to use Redis there is quite a few powerful things you can do (especially scaling the Strapi backend). :+1: