As I said before: My objective is build a complete frontend app (vuejs) that relies only on stateless API endpoints (even the login).
— The Spotify API makes you need a new token every hour
— Jwt + webapi + no revocation method = just stop
— Very very bad idea
— Remove any one of those and it's fine without revocation though
— Not if you issue new tokens for every request
— If you issue tokens for every request with a refresh token, like with OAuth, and still use a SPA/webapi, it doesn't matter as an attacker can then abuse that refresh token, and it does not help whatsoever
— I similarly used to deploy jwt in SPA/webapi apps and found the same, wrote my own jwt library, and spent a year researching how to secure it... without a blacklist table there is no way to secure it in a way that would let me sleep at night personally