You dont need JWT to authenticate users

Last update: 06-10-2017

.. because you probably have two use cases:

  1. as a user I want to invalidate a specific session, without signing out all my devices
  2. as the system I want to be able to invalidate a session immediately

You can use a list to define which token is active, or a list where you store tokens you wont allow. In both cases you have to save the token and look it up in your database anyway. That said, you can use a plain old random strings to look up valid sessions (and eventually the user) in the DB.