1. Without having a blacklist of JWTs on your server, you cannot revoke JWTs before they naturally expire. This is one reason why it is recommended to have short lived JWTs along with long lived refresh tokens (which are not JWTs) 2. In order to build it yourself, you will have to do the following: - Spend weeks and months trying to understand the best security practices. - After understanding them, you will have to spend a few more weeks / months actually building it out (some of the RFCs are 400+ pages long..) - After you have built it, you will have to be responsible for maintaing it for your app - any chanes to the RFCs or browsers (like they added sameSite cookies) or your backend / frontend will probably require a ton of work from your side. - You will also have to take the headache of scaling it as your app grows. - You will have to do all that, plus of course, run your business and app. Any mistakes in session implementation, your app is practically down for all your logged in users. Any security flaws, as your app grows, your user data is likely to be compromised and you may be able to do very little at that point in time. - Instead, you could use a third party library like SuperTokens which does all that for you and has a free version which works for all use cases pertaining to sessions - no matter how many sessions your app will have.