JWT Blacklisting and Whitelisting

JSON Web Tokens (JWTs) are powerful for authentication, but sometimes you need to invalidate them before their natural expiry. This process is called token revocation.

• Compromised Token: If a token is stolen.
• User Logout: To immediately end a user's session.
• Password Change: To invalidate all old tokens.
• Role Changes: To force re-authentication with new permissions.

JWTs are inherently stateless. Once issued, they contain all necessary information for validation and don't require the server to store session data.

This statelessness is a strength, but it makes direct server-side revocation tricky. The server typically doesn't hold a list of active tokens to simply 'turn off'.