Ttl;dr HNabout
Wednesday, June 17, 2026
Stop Using JWTs(gist.github.com)
457 points by dzonga 23 hours ago | 266 comments
tl;dr: JWTs are unsuitable for user sessions: the spec is designed for short-lived (~5 min) tokens, "stateless" auth isn't practically secure, and the specification itself has known flaws distrusted by security experts. Regular cookie-based sessions are simpler, more flexible, and purpose-built for keeping users logged in. If you genuinely need signed short-lived tokens, use PASETO instead—and never store auth credentials in localStorage.
HN Discussion:
  • ~JWTs are fine for service-to-service auth but shouldn't be used for browser sessions
  • JWTs can be made secure with short lifetimes, refresh tokens, and revocation nonces
  • The article is sensationalist and lacks evidence; no real-world attacks demonstrate JWTs are broken
  • Cookie-stored JWTs are essentially equivalent to session cookies, so the distinction is overblown
  • Agreement that JWTs are the wrong tool for web auth, suitable only for service-to-service