惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Full Disclosure
Recorded Future
Recorded Future
T
Tenable Blog
S
Securelist
C
CERT Recently Published Vulnerability Notes
T
Threatpost
S
Schneier on Security
A
Arctic Wolf
The Hacker News
The Hacker News
C
CXSECURITY Database RSS Feed - CXSecurity.com
Know Your Adversary
Know Your Adversary
P
Privacy International News Feed
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Register - Security
The Register - Security
Cisco Talos Blog
Cisco Talos Blog
AWS News Blog
AWS News Blog
K
Kaspersky official blog
T
True Tiger Recordings
T
Threat Research - Cisco Blogs
V
Vulnerabilities – Threatpost
P
Palo Alto Networks Blog
T
The Exploit Database - CXSecurity.com
小众软件
小众软件
B
Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Microsoft Azure Blog
Microsoft Azure Blog
Cyberwarzone
Cyberwarzone
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tor Project blog
Spread Privacy
Spread Privacy
Malwarebytes
Malwarebytes
P
Proofpoint News Feed
F
Fox-IT International blog
F
Fortinet All Blogs
P
Privacy & Cybersecurity Law Blog
G
GRAHAM CLULEY
量子位
Latest news
Latest news
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 叶小钗
Project Zero
Project Zero
T
Tailwind CSS Blog
N
Netflix TechBlog - Medium
Martin Fowler
Martin Fowler
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
I
Intezer
博客园_首页
腾讯CDC
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
Darknet – Hacking Tools, Hacker News & Cyber Security

DEV Community

98. RAG: Give Your AI Access to Your Documents Why Getting a Tech Job Right Now Feels Broken? The Container Runtime Nobody Told You About (And Four Others) The Singleton Labyrinth Build your first MCP server in TypeScript: the 2026 setup that takes 30 minutes. Check Wallet Balances Across 4 Chains with Zero Dependencies — chain_balance.py Vectr — Code Intelligence AI Tool Veltrix Was Killing Us With YAML 5 PostgreSQL locking behaviors that trip people up Beyond Monolithic AI: How to Build a Pluggable "Brain" Architecture for Autonomous Agents Mastering Structured JSON Outputs with Gemini API ATR Implements the Detection Layer the NSA Identified as Missing in MCP I tried both Cursor and Antigravity(1.20) - Switching Context - which one is better? Negative Lookups in Bf-Tree: Caching Things That Don't Exist My Struggles as a Software Engineer in 2026 Why Hybrid Metaheuristics Still Beat “Smarter” AI in Real-World Optimization Cómo destacar como JR DEV en tu equipo I got tired of guessing which model holds my VRAM, so I built a tiny dashboard Qwen Is Not Yet Ready to Power Local OpenClaw Deployments Top 7 Featured DEV Posts of the Week Why I got frustrated with AI job search tools and built my own 10 Best Open-Source AI Agents for 2026 Contract Analysis Will Replace Legal Gatekeeping AWS Cloud Shell with Antigravity CLI Building Reliable Event Delivery for XRPL Applications AMTP: HTTP for the Agentic Web — A New Markdown-First Protocol for AI Agents LLM Security Vulnerabilities Engineers Need to Know in 2026 Shared Build Cache: Makes Sense for the Independent Developer? Live Lessons From Running a 5-Minute Polymarket Crypto Bot Cómo Evaluar Agentes IA: Tutorial de LLM-as-Judge Day 2 of Python Learning 🐍 I built a local-first Apple Health recovery briefing that shows its math I Built a REST Microservice With a Database in 3 Files — and Wrote Zero Code 10 Avro Schema Mistakes Even Experienced Developer Do Commit: Refactor background workers and logging pipeline GitHub Actions vs Jenkins vs GitLab CI: A Developer's Honest Comparison (2026) Clean Architecture in MongoDB + C#: Why is the Repository Pattern Alone Not Enough? I Tested 10 More Models. Five Brand New Families Debuted. None Scored Below 75%. I Almost Quit Coding to Become a Welder Understanding Reinforcement Learning with Human Feedback Part 6: How the Reward Model Trains the Original Model # Level Up Your Portfolio with Wowfolio.in: Free, Customizable, Type Inhabitation in Lean: Why “Hello {name}” Can Become a Theorem Mastering Context in Go: A Senior Engineer’s Playbook for Lifecycle Management Solana Transactions Through a Backend Developer’s Eye Agent as a Tool Call: Claude Code's Fork-Exec Pattern How I wired Stripe subscriptions to Supabase in Next.js 15 (the parts tutorials skip) Introduction to A2A and Agent Search Why Doesn't Linux Break Every Week? The "AI" Label Is Losing Its Meaning, and Companies Are the Ones Diluting It Bucky Fuller's To-Do List: Can AI Finally Solve the World's Cataloged Problems? My $10/Month VPS Gets 659 SSH Attacks per Day — Here's What 4 Weeks of Running an Autonomous AI Has Taught Me About Infrastructure Speed Up Your WordPress Site in 30 Minutes: A No-Plugin Performance Guide Breaking Code: The Addiction Nobody in Tech Will Admit To Nobody Reads AI Safety Papers. But 649 People Upvoted a Letter to an LLM. The Pope wrote about me Je vibe-coded app werkt. Maar kan hij ook live? The Event Store That Survived Black Friday Without a Single 5xx Audit-trail-by-construction: a thesis for spec-driven AI coding Day 8 - Sparse embedding - RAG How we made our Mac launcher feel instant by killing slow providers How we made our Mac launcher feel instant by killing slow providers Enterprise AI Agent Orchestration Patterns How to build your first MCP server in 10 minutes Claude Code's plan mode is prompt engineering, not hard enforcement Built a C# AI Agent That Researches Errors and Suggests Fixes From Shell Scripts to MCP Servers: How SEO Broke My Brain (in a Good Way) AI Agent Platform Buyer's Guide: 12 Questions to Ask Before You Sign 🦋 I Built a Living Terminal Animation with Hermes Agent — Here's How It Went. AI Agents Are Coming for Your WordPress Admin Panel, and That's Not a Bad Thing Tailscale + k3s in a 2‑node homelab: why I use Tailscale ONLY for the control plane When NOT to Use AI Agents: A Realistic Framework Human-in-the-Loop Patterns for High-Stakes AI Agent Decisions LLM Cost Optimization for Agent Workflows: A Practical Guide An Evolving Strategy for Knowledge Work: From Human-In-the-Loop to Human-Before-the-Loop Why I Wake Up at 5am to Run (And Why You Might Want To) I Scanned 260 Packages that your are using and Found 43 With Security Vulnerabilities The Easiest Way to Implement Theme Toggling in React 19 using next-themes & Tailwind CSS v4 AI skill testing: yes, your prompts need regression tests Why We Built AnToAnt: Designing Software Before Writing Code How I Built an End-to-End HR Attrition Dashboard Using MySQL & Power BI Why Hytale Treasure Hunt Engines Stumble Before 1,000 Concurrent Diggers: What Veltrix Does Not Document How to Implement Dark/Light Mode with No Flickers in Next.js Building My First Solana Transfer CLI Tool | #100DaysOfSolana What Is OAuth Token Exchange? CLI wrapper for Cloudflare Tunnel with Zero Trust Your Agent Acts Without Checking Your Error Budget — That's the Failure Mode Nobody Is Tracking The Death of the Junior Developer Is Greatly Exaggerated How I Built a Programmatic SEO Site with 16,750 Pages Using FastAPI and PostgreSQL Toward a Standard Model for Agent Memory I Applied SLA Concepts to My Email Inbox — Here's What I Learned Building the Chrome Extension How Spring Data JPA, JPA, and Hibernate work together What useOptimistic Actually Saves You The Vibe Tax: How Unvalidated AI Code Is Flooding the Market and Driving Up Technical Debt Building My First MCP Server with Claude and Python Azure Blob Storage for Beginners: Private Access, SAS Tokens & Cost Savings Explained I'm building a TypeScript data grid where config reads like English Revamped Proof for Finish-Up-A-Thon Selectors and its uses in HTML & CSS Bronto for Fastly: Real-Time CDN Logging That Actually Scales I Built a Local Interview Coach That Learns From Every Submission With Hermes Agent.
The Operational Cost of JWT Lifecycle Management: Overlooked Details
Mustafa ERBA · 2026-05-27 · via DEV Community

The Operational Burden of JWT Lifecycle Management

Every new technology that enters our lives initially excites us with its simplicity and promises. JSON Web Token (JWT) emerged as a great solution, especially for stateless authentication needs. However, over the years, I've begun to see more clearly the operational burden and costs associated with managing this technology. JWT itself, the structure of the token and its signing, is relatively straightforward. The real complexity arises throughout its lifecycle: its creation, distribution, verification, management of expiration times, and invalidation when necessary. If not managed correctly, these processes can lead to significant operational costs and security vulnerabilities.

In the real world, when we consider the journey of a JWT from its creation to its disposal, we see that it involves much more than just generating and sending a token. This journey, which begins when a user logs in, includes steps like sending the token to the server with every request, verifying its signature, checking its validity period, and even invalidating the token in certain situations (e.g., password change or suspicion of a security breach). Each of these steps creates a load on the infrastructure, and managing this load effectively is critical, especially in large-scale systems.

ℹ️ The Basic Structure of JWT

JWT is a compact string composed of three parts: Header, Payload, and Signature. The Header specifies the type of token and the signing algorithm used. The Payload contains user information or other identity data. The Signature is used to ensure the integrity and authenticity of the token. This structure makes the token itself verifiable but requires additional mechanisms for lifecycle management.

In this article, I will examine the operational cost of JWT lifecycle management from various perspectives. By providing concrete examples from my own experiences, I will highlight points that are often overlooked or underestimated. My aim is to help you foresee potential issues you might encounter while using this technology and to assist you in building more robust and manageable systems.

Costs of Token Creation and Distribution

The beginning of any user authentication process involves the creation of a JWT and its secure delivery to the user. Although this initial step may seem simple, it carries underlying operational and security costs. The processing power required to generate the token can become a significant factor, especially under heavy load. Furthermore, the signing algorithms and key management used to ensure the token's confidentiality and integrity add an extra burden.

When a user successfully logs in, a series of operations occur on the server side. The user's credentials are verified, and then a JWT is generated. The information embedded within this token (the payload) typically includes critical data such as the user's ID, roles, and the token's expiration time. The secure storage and management of the private keys used for signing the token are among the most important operational requirements here. If a key is compromised, the security of the entire system can be jeopardized. Therefore, key rotation and secure storage solutions are an integral part of the token creation process and require additional infrastructure investment.

💡 Key Management Strategies

Managing JWT signing keys is the cornerstone of security. Common strategies include:

  • Static Keys: Simple but risky. If the key doesn't change, a compromised key means a long-term security vulnerability.
  • Periodic Key Rotation: New keys are generated at regular intervals (e.g., every 3-6 months), and old ones are retired. This keeps the system current but requires careful planning during the transition.
  • Centralized Key Management Services (KMS): Services like AWS KMS, Azure Key Vault facilitate secure storage, management, and access control for keys, reducing operational overhead but incurring additional costs.

Delivering the token to the user is also a step that requires attention. It is typically done via the HTTP Set-Cookie header or the Authorization: Bearer <token> header. The choice of method depends on the application's architecture and security requirements. Cookie-based approaches can be more vulnerable to certain CSRF (Cross-Site Request Forgery) attacks, while using the Authorization header offers more flexibility but requires the token to be manually added with every request. Each of these distribution methods brings its own set of operational and security considerations.

The Load Imposed by the Token Verification Process

Verifying a JWT is a critical step that determines whether a request is valid. This process is repeated for every incoming request on the server and can severely impact application performance if not optimized correctly. The verification process essentially involves checking the validity of the token's signature and determining if the token has expired. However, each of these steps can impose a significant operational load, especially in high-traffic systems.

Verifying the token's signature involves obtaining the public key used when signing the token and recalculating the signature using this key. If the token was signed with a symmetric algorithm like HMAC, the server needs access to the secret key. Securely storing and accessing this key is an operational challenge in itself. If asymmetric algorithms like RSA or ECDSA are used, the public key must be obtained from a trusted source, which could be a JWKS (JSON Web Key Set) endpoint or cached in server memory.

⚠️ Caching Strategies and Risks

Caching public keys improves performance by reducing verification time. However, this requires a careful caching strategy. If the public key changes frequently, tokens signed with old keys might be incorrectly rejected, or vice versa, tokens signed with new keys might be attempted to be verified with old keys. To prevent such scenarios, setting an effective cache time-to-live (TTL) and correctly integrating key rotation mechanisms are vital. For example, during key rotation, both old and new keys can be accepted for a certain period to minimize errors during the transition.

Checking the token's expiration time (the exp claim) is also part of the verification process. This check is based on the server's clock and determines if the token is within its validity period. Time synchronization issues or deviations in the server's clock can lead to incorrect results. Therefore, ensuring servers are regularly synchronized with NTP (Network Time Protocol) and monitoring for potential time drifts is an operational requirement. Furthermore, if other time-related claims like nbf (not before) also need to be checked, the verification process becomes even more complex. Each of these steps consumes CPU and memory resources, and when repeated with every request, they increase the overall system load.

import jwt
from datetime import datetime, timedelta, timezone

# Example signing with RSA (key management would be more complex in a real scenario)
# Private key stored on the server
private_key = "----BEGIN PRIVATE KEY----...\n----END PRIVATE KEY----"
public_key = "----BEGIN PUBLIC KEY----...\n----END PUBLIC KEY----"

def create_jwt(user_id: str, roles: list[str], secret_key: str, expires_delta_minutes: int = 30) -> str:
    """Creates a JWT with user ID and roles."""
    payload = {
        "user_id": user_id,
        "roles": roles,
        "exp": datetime.now(timezone.utc) + timedelta(minutes=expires_delta_minutes),
        "iat": datetime.now(timezone.utc) # Issued At
    }
    try:
        encoded_jwt = jwt.encode(payload, secret_key, algorithm="RS256")
        return encoded_jwt
    except Exception as e:
        print(f"JWT creation error: {e}")
        return None

def verify_jwt(token: str, public_key: str) -> dict | None:
    """Verifies the JWT and returns the payload."""
    try:
        decoded_payload = jwt.decode(token, public_key, algorithms=["RS256"])
        # Additional checks: Has the token expired? (jwt.decode already does this, but manual check can be added)
        if decoded_payload["exp"] < datetime.now(timezone.utc).timestamp():
            print("Token has expired.")
            return None
        return decoded_payload
    except jwt.ExpiredSignatureError:
        print("Token has expired (ExpiredSignatureError).")
        return None
    except jwt.InvalidSignatureError:
        print("Invalid signature.")
        return None
    except jwt.InvalidTokenError as e:
        print(f"Invalid token: {e}")
        return None

# Usage example
user_id = "user123"
user_roles = ["admin", "editor"]
token_lifetime_minutes = 15

# Create token
generated_token = create_jwt(user_id, user_roles, private_key, token_lifetime_minutes)

if generated_token:
    print(f"Generated JWT: {generated_token}\n")

    # Verify token
    print("Verifying token...")
    decoded_data = verify_jwt(generated_token, public_key)

    if decoded_data:
        print("Verification successful. Payload:")
        print(decoded_data)
    else:
        print("Verification failed.")

# Expired token simulation
print("\nExpired token simulation...")
expired_payload = {
    "user_id": "expired_user",
    "roles": ["viewer"],
    "exp": datetime.now(timezone.utc) - timedelta(minutes=5), # 5 minutes ago
    "iat": datetime.now(timezone.utc) - timedelta(minutes=20)
}
expired_token = jwt.encode(expired_payload, private_key, algorithm="RS256")
verify_jwt(expired_token, public_key)

Enter fullscreen mode Exit fullscreen mode

This code example demonstrates the basic JWT creation and verification logic. In real production environments, aspects like key management, secure storage and distribution of tokens, error handling, and performance optimizations require much more attention. For instance, the jwt.decode function already performs the expiration check, but sometimes manual control or adding extra logic might be necessary.

Token Invalidation and Blacklist Management

One of JWT's greatest advantages is its stateless nature, meaning the server doesn't need to store user session information. However, this poses a significant operational challenge when a token needs to be invalidated before its expiration. When a user changes their password, a security breach is detected, or a user's account is disabled, all active sessions for that user must be terminated. Since JWT itself doesn't offer an invalidation mechanism, providing this functionality requires additional layers.

One of the most common methods to address this need is to maintain a "blacklist" or a list of "revoked tokens." This list is kept on the server side (in memory, database, or a dedicated cache service) and contains information about tokens that have expired but are no longer valid. With every incoming request, after the token is verified, it is also checked against this blacklist. If the token is found in the blacklist, the request is rejected.

🔥 The Cost of Blacklist Management

Blacklist management deviates from JWT's stateless nature, bringing additional costs:

  • Storage Cost: Additional storage space is required to keep revoked tokens. As this list grows, storage costs increase.
  • Performance Impact: Checking the blacklist with every request extends verification time. Especially when dealing with large blacklists, performing this check efficiently is critical. In-memory data stores like Redis are ideal for this scenario.
  • Consistency Challenges: In distributed systems, consistently propagating blacklist updates across all services can be difficult. This can lead to revoked tokens being accepted for a short period.
  • Integration with Key Management: The information that a token is revoked is typically associated with a session ID or the token itself, rather than the token's structure. This requires more complex key management and session tracking.

The size and management of blacklists grow proportionally with the system's scale. In a system with millions of active users, if a token needs to be added to the blacklist every time a user logs out or changes their password, this list can rapidly grow, degrading query performance. Therefore, storing blacklist entries only when truly necessary (e.g., in case of a security breach) and for a limited duration is important to keep operational costs under control.

Expiration Length and the Security Paradox

The JWT's lifespan requires a delicate balance between security and usability. Short-lived tokens are more advantageous from a security perspective, as their impact is limited if stolen. However, the need for users to constantly re-login negatively affects the user experience and increases the login load on the system. Long-lived tokens, on the other hand, offer a better user experience but also introduce security risks.

A JWT's exp (expiration) claim determines how long the token remains valid. In determining this duration, the application's overall security policy and user experience goals must be considered. For instance, a banking application might prefer short-lived tokens (e.g., 5-15 minutes), while an e-commerce site might find durations of 1-2 hours more acceptable. However, to keep a user logged in beyond this period, the use of "refresh token" mechanisms is common practice.

💡 Refresh Token Mechanism

Refresh tokens are used to obtain a new access token when short-lived access tokens expire, without forcing the user to log in again. Refresh tokens typically have a longer lifespan (days, weeks, or months) and must be stored securely. When a user sends a refresh token, the server verifies it and generates and returns a new short-lived access token. This mechanism provides a significant improvement in terms of both security and user experience, but the management of refresh tokens (storage, invalidation) also brings its own operational overhead.

A long-lived JWT, if stolen, can potentially be used by malicious actors for an extended period. This poses serious risks, especially in applications dealing with sensitive data. Therefore, in addition to the token's duration, verifying contextual information such as the IP address and device information from which the token is used can enhance the security layer. However, such checks make the verification process more complex and increase the operational load.

For example, in one project, we set the JWT validity period to 1 hour for requests coming from users' mobile devices. However, users began reporting being frequently logged out. Upon detailed investigation, we found that some users had unstable network connections, causing their tokens to become invalid before the exp period elapsed. To resolve this, we increased the token duration to 2 hours and made the refresh token mechanism more aggressive. This simple change improved the user experience while demonstrating how finely tuned token management needs to be.

Alternatives and Future Perspectives

Various alternative approaches and technologies exist to alleviate the operational burden of JWT and reduce security vulnerabilities. These alternatives should be evaluated based on the application's specific requirements and scalability goals. While JWT's stateless nature is appealing, it may not always be the most suitable solution.

One alternative is to use traditional session-based authentication. In this model, the server generates a session ID for each user and sends it to the client (usually via a cookie). The client sends this session ID back to the server with every request. The server then uses this ID to access session information stored in a database or cache. This approach makes implementing revocation mechanisms easier since sessions are managed directly on the server side. However, being non-stateless, it can present scalability challenges and consume more server resources.

ℹ️ Session-Based Authentication

Advantages:

  • Easy Revocation: Since sessions are kept server-side, terminating or invalidating a session is straightforward.
  • Less Token Manipulation: Only a session ID is stored client-side, rather than managing complex tokens.
  • Data Privacy: Sensitive user data is typically stored in server-side session data, not within the token.

Disadvantages:

  • Scalability Challenges: The need to share session information across all servers (sticky sessions or distributed cache) complicates scaling.
  • More Server Resources: Server memory or database resources must be allocated for each session.
  • Stateful Architecture: Limited suitability for distributed and stateless architectures.

Another approach is to make revocation mechanisms more efficient while preserving JWT's stateless nature. For instance, by using short-lived JWTs combined with a distributed cache system (like Redis) for managing revoked tokens, it's possible to optimize blacklist size and query times. Additionally, different cryptographic mechanisms, such as MAC (Message Authentication Code)-based tokens or one-time tokens, might be more appropriate in specific scenarios.

In the future, it's likely that more sophisticated solutions will emerge in the field of authentication and authorization. Technologies like Verifiable Credentials and Self-Sovereign Identity (SSI) could allow users to manage their identity information under their own control, without relying on a central authority. While these technologies may not replace existing JWT-based systems entirely, they could offer more secure and user-centric alternatives in certain use cases. However, the operational complexity and adoption process of these technologies must also be considered.

Conclusion: A Pragmatic Approach to JWT Management

JWT is a powerful authentication tool for modern web applications. However, the management and operational complexities brought about by its stateless nature should not be overlooked. Each step in the lifecycle, including token creation, distribution, verification, and especially revocation, requires careful planning and continuous optimization. The cost of these processes is not limited to processing power; it also includes security risks, development effort, and maintenance overhead.

In my own experience, I've found that one of the biggest pitfalls when using JWT is falling into the misconception that it's an "easy" and "simple" solution. In reality, especially in high-security or large-scale systems, the operational costs of JWT lifecycle management can significantly increase. To manage these costs, strategic decisions such as correctly setting token expiration times, effectively using refresh token mechanisms, and implementing an efficient blacklist solution for revocations are necessary.

💡 Recommendations for Pragmatic JWT Management

  1. Short-Lived Access Tokens: Keep the validity period of access tokens short (e.g., 15-30 minutes) to enhance security.
  2. Reliable Refresh Token Mechanism: Improve user experience with long-lived refresh tokens and manage them securely (e.g., HTTP Only, Secure cookies, secure database storage).
  3. Efficient Revocation Mechanism: When token revocation is necessary, create a fast and scalable blacklist (revocation list) using in-memory databases like Redis. Avoid storing revoked tokens for too long.
  4. Appropriate Signing Algorithm: Asymmetric algorithms (e.g., RS256) are generally more secure, but you need good public key management. Symmetric algorithms (e.g., HS256) are simpler, but the security of the secret key is paramount.
  5. Time Synchronization: Ensure your servers' time is accurate and synchronized (NTP).
  6. Contextual Verifications: If possible, strengthen the security layer by checking additional information like IP address and User-Agent during token verification.
  7. Consider Alternatives: Investigate whether session-based authentication or newer authentication standards might be more suitable for your application's requirements.

In conclusion, using JWT is a trade-off. Its stateless advantages must be balanced against the operational complexity and security management overhead. When this balance is struck correctly, JWT remains a powerful authentication solution. However, establishing this balance isn't just about writing code; it requires a holistic approach encompassing infrastructure, operations, and security strategies.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。