One thing to be aware of is that there is currently,AFAIK, no way to “disable” a JWT.
Once you have created it, if you leak it, your account is, as far as I can tell, definitely compromised.
I will add, as a disclaimer, that I have not checked if there are conditions (password change, etc) under which any or all JWT(user, instance, etc) become invalid. So do audit the code if this is something that concerns you. As far as I am concerned, I treat the JWTs as extra-sensitive information, and store them only on machines I own.
One thing to be aware of is that there is currently, AFAIK, no way to “disable” a JWT.
Once you have created it, if you leak it, your account is, as far as I can tell, definitely compromised.
I will add, as a disclaimer, that I have not checked if there are conditions (password change, etc) under which any or all JWT (user, instance, etc) become invalid. So do audit the code if this is something that concerns you. As far as I am concerned, I treat the JWTs as extra-sensitive information, and store them only on machines I own.
The jwt is invalidated once you logout. You can also change/reset your password to invalidate all login tokens for your account.
Invalidated how?
OK. I was afraid this would not be the case. Thanks for confirming.
Well it’s deleted from the database so you can’t authenticate with it anymore.
OK there now is a
LoginTokenclass. This was not the case last time I checked. Good. Thanks for your answers.