Echo JS 0.11.0

<~>

tracker1 2859 days ago. link 1 point 
Regarding invalidating JWT...

Have client keep initial credentials in memory, use JWT for all transactions, have issued JWT valid for N minutes, after JWT expires, require client to get a new JWT... allow expired JWT for insensitive areas, but require reauth for sensitive ones, unless same session in the browser. By having a much shorter JWT lifecycle, you can skip the revocation server.