JWT and one-time tokens?

Question

I\'m in the process of rolling my own JWT token auth, however, I would really like it to be a one time-token – so once it\'s used, the server generates a new token and the c

Answer 1

Solutions exist, of course.

As with any distributed system (you mentioned scalability) you have to choose between availability and consistence.

1. You choose availability. In this case you could maintain a list of already-used tokens that you replicate in a eventually consistent manner between all the endpoints. For example when a token is used the respective endpoint send that token to the other endpoints in the backgound. There is however a (short) time frame when that token can be used a second time by another endpoint until that endpoint is updated.

2. You choose consistency (you won't allow a token to be used multiple times whatsoever). In this case you use a central database with already-used tokens and you check that database everytime you need to perform an action. Scalability? You could use sharding on the token and have n databases, each one being responsible for a tokens subset.

It depends on your business what solution fits best.