How Can You Revoke a Stolen JWT in a Stateless System?

Usually, JWTs are set to expire in a short timeframe, like 5 to 30 minutes. Since state isn't stored on the server, you may want a backend flag that marks a user as logged out, which would require them to log in again for new tokens. For more complex systems, consider having a latest valid JWT in a store that can be nullified when issues arise.

You might want to have tokens expire within a few minutes for quick revocation. However, if quick actions are necessary, maintaining a deny list in a database or cache like Redis could help. Just remember that revoking a refresh token is critical too—if a user can’t mint new tokens, they're much less of a threat.

JWTs typically expire in just a few hours, so by the time an admin gets contacted, the token might already be invalid. Some services allow users to log out of all sessions themselves, which can eliminate the need for admin intervention. You could also update a database flag to invalidate tokens issued before a certain time. This way, any requests using old tokens could redirect users to log in again.

One common approach to handle revoked tokens is using short-lived tokens. If you really need to revoke a JWT immediately, you can implement a distributed cache, like Redis, to keep track of invalidated tokens. While stateless systems don't hold session states, they can still use the cache to verify if a token has been revoked. Just remember, true statelessness doesn't mean you can't use some form of backend storage for this purpose.