Is Tymon/jwt-auth a real refresh/access tokens system ?
I’m concerned about whether this approach is truly secure and reliable for production systems. Are there risks in rolling your own refresh token logic with Tymon/JWT compared to using a framework that handles it natively?
There are definite risks in rolling your own refresh token logic with Tymon/JWT (or any JWT library) compared to using a framework that handles refresh tokens natively.
JWTs themselves are stateless, meaning once issued, the server doesn’t track them unless you implement some mechanism yourself. This brings a few common pitfalls.
Rolling your own refresh token logic with Tymon/JWT can work, but it’s risky. The most common mistakes involve revocation, rotation, storage, and concurrency. If security and reliability are critical (as in production), using a framework or managed solution is strongly recommended.
@sharkblue58 Why not use an actual authorisation standard such as OAuth?
JWT isn’t great for stateful authentication because tokens contain the claims and are self-signed. Once they’re issued, there’s no way to revoke them.
For token-based authentication, I’ll always used a widely-accepted standard such as OAuth before I use something JWT-based or hand-rolled. There’s just no point in re-inventing the wheel.
