I am tired of pretending JWT (JSON Web Token) is fine. It isn't. It's a cargo cult. It solves a problem your app almost certainly does not have, creates four or five problems your app definitely does have, and a generation of backend developers has been pressured into adopting it because of some 2014-era blog posts touting "stateless" as a virtue rather than a tradeoff.
Every JWT-based system I have audited has the exact same issues: a broken token revocation story, a useless and over-engineered refresh token dance, and client-side codebases that decode the payload and blindly trust it. If you're building a web app, a mobile app, or a first-party API, JWT is the wrong default. A row in Postgres with a bearer token in front of it is faster, simpler, and strictly more secure.
Let's look at the core of the issue. A JWT consists of three base64url segments: a header, a JSON payload, and a signature (HMAC or RSA/ECDSA). The pitch is that the server signs it, the client carries it, and subsequent requests only need signature verification with no database round-trip. This "stateless" benefit is its entire value proposition. But strip that away, and it's just an opaque token wearing a costume.
The illusion falls apart with one simple question: How do you log a user out before the expiration time (exp)?
The hard truth is: you can't. The token remains valid until it expires. The only way to invalidate it earlier is to store a revocation list on the server and check it on every single request. But that requires a database lookup—the very thing JWT was designed to avoid. You end up reinventing sessions, just badly.
Developers are left with two losing moves: either allow compromised tokens to remain active until they expire (leading to massive security risks with long-lived tokens in production), or maintain a database/Redis blacklist, paying both the CPU cost of signature verification and the database round-trip cost. There is no magical third option.
[AgentUpdate Depth Analysis] As AI Agents transition to autonomous execution and multi-agent workflows, authentication mechanisms must evolve. In an AI Agent ecosystem—especially with protocols like MCP (Model Context Protocol)—agents wield significant API execution power. This makes them highly vulnerable to prompt injections or rogue execution paths. JWT's inability to support instant, stateless revocation becomes an unacceptable security hazard here. If an agent compromises its credentials or deviates from its goal, security systems must revoke access in real time. Moving forward, the AI Agent paradigm will demand a shift away from coarse, stateless JWTs toward stateful, fine-grained, and dynamic capability-based tokens that allow instantaneous policy enforcement and granular control over autonomous agent networks.
