← Lessons

quiz vs the machine

Gold1400

System Design

Stateless JWT Sessions Tradeoffs

Pushing login state into a signed token so servers hold no per user record.

5 min read · core · beat Gold to climb

The stateless idea

A JWT is a signed token that carries claims about the user, such as their id and roles. With stateless sessions the server stores nothing. It simply verifies the token signature on each request and trusts the claims inside.

This scales beautifully because any node can validate a token using only the signing key. There is no shared session store to hit on every request.

The cost of statelessness

  • Revocation is hard. Because no server record exists, a stolen token stays valid until it expires. You cannot simply delete a session.
  • Tokens can grow large. Every claim travels on every request, inflating headers.
  • Stale data. If a role changes, the old token still carries the old role until it expires.

Mitigations

  • Keep token lifetimes short and pair them with a refresh flow.
  • Maintain a small deny list of revoked token ids for emergencies.
  • Put only stable, low sensitivity claims in the token.

Key idea

Stateless JWT sessions trade easy horizontal scale for hard revocation, so they need short lifetimes and a deny list to stay safe.

Check yourself

Answer to earn rating on the learn ladder.

1. What is the main scaling advantage of stateless JWT sessions?

2. Which problem is inherent to stateless tokens?

3. A common mitigation for the revocation weakness is to