• Rick

    Rick

    2 years ago
    I see
  • Rick

    Rick

    2 years ago
    Hi @User , I'm wondering how SuperTokens handle logout/revoke issue if using JWT access token? Does SuperTokens use blacklist? Or just simply let token expire?
  • r

    rp

    2 years ago
    So when logging out, we clear the cookies on the frontend & revoke the session from the DB. In this case, if the JWT access token was previously saved manually by the user, they will still be able to access the APIs. That's why it's recommended to keep them as short lived as possible. We also have access token blacklisting, which will instantly revoke the JWT. However, there you loose the performance benefit of session verification.
  • Rick

    Rick

    2 years ago
    so the blacklist stuff is like a option switch in SuperTokens?
  • r

    rp

    2 years ago
    yup
  • Rick

    Rick

    2 years ago
    got it, thanks~
  • r

    rp

    2 years ago
    if your using on prem, then it's an option in the config.yaml file. If SaaS, it's a config on the dashboard -> edit configuration
  • r

    rp

    2 years ago
    if using docker, on prem, you can pass it as an env variable in your docker run command
  • Rick

    Rick

    2 years ago
    One more thing, does SuperToken's access token made of JWS or JWE? it carries user's info, right?
  • r

    rp

    2 years ago
    We also plan on adding blacklisting check per API. So in your sensitive APIs, you can switch that on, whilst in GET requests, you can keep it off = good balance between security & speed