Managing JWT token expiration

When you manage JWT tokens, there are some problems that you may experience when you are dealing with authentication. Particularly, when you need to handle token expiration.

Consequently, I want to share with you the strategies I found useful when I have to manage them.

A JWT token that never expires is dangerous if the token is stolen then someone can always access the user’s data.

A JWT token should be stateless, meaning that you should store everything you need in the payload and skip performing a DB query on every request. Therefore, the lifespan of the token last until expiration time has been reached.

However, you need to be aware that your company may have an exceptional situation for not following this standard, for example, when you require a strict logout which creates a backlist for tokens to deny access.

Depending on the company, we have different policies and strategies to manage our token expiration, some companies want customer to remain logged indefinitely, and others will require to logout from the application after a few hours.

Therefore, I invite you to talk to your product team to align what you is the right strategy that works best for your particular situation.

Our application will play a passive role by monitoring our HTTP responses, looking for 401 error responses.

As the strategy name suggests, we assume our token is valid in every request and reactively take action when this is no longer valid.

As the name indicate we check in advance the expiration date in the token to determine if our token is valid before making the HTTP request to the resource server. Even you can define a periodic timer to check for the token expiration.

In this case, we will be confident that our request should be successful since our token expiration date is in the future when we are making the request.

Hybrid combines the previous strategies allowing us to make sure that we handle cases when a valid token can expire during the request causing a 401 HTTP Response due token expiration during the request.

This becomes particularly useful on scenarios where request takes a long time to be fired, or system with high volume requests where you may have to queue the request before the server can handle with the possibility has expired during that time.

You may feel that these strategies have a clear winner, but you need to think about your particular use case since each strategy have trade-off, which can work better under certain circumstances.

Let’s quickly compare each strategy. (+ Pros, -Cons)

Reactively

+Robust, 401 will always be handled effectively.

- Firing multiple HTTP may cause server overhead when token is invalid

- Require to handle concurrent request if token expired

Proactively

+We don’t make unnecessary requests when the token has expired

- client resources if we check the token periodically

- Extra check in every request including during valid token

- Token may expire during the request returning 401

Hybrid

+Combine the good of previous approaches

- Require handle concurrent, although less likely due to proactive check

- Extra resources to check every request

As you can see, each variant has use cases where they will become better for your system than others to enumerate some cases:

I am sure you have more trade-off or use cases which I may not consider in this article. I look forward to hearing from yours in the comment section below.

In this post, I have covered what is the alternative to handle token expiration. However, we have a second dimension to consider which I want to cover briefly.

When tokens are about to expire, there are mechanisms to request a new token to keep our user logged permanently with the confidence each token will eventually expire to access the user data in case of leak.

Related posts:

I was always going to be a cat person. My earliest memories are of a house that had cats running in and out constantly, and my family always had at least one cat until I moved across country and…

Amino is an online application developed by Narvii, Inc and created by Yin Wang and Ben Anderson in 2014. A very unique feature of this app is that it is broken down into communities created by users…

Cuando hablamos de un metabolismo “lento” o “rápido” nos referimos a la velocidad con la que nuestro cuerpo realiza todas estas funciones. Y esto es importante en lo que respecta a nuestra tendencia…