Good primer on the basics. In practice, the fact that a JWT is not cancellable—in other words, there is no "logout" capability—must be dealt with. Keeping a blacklist has been suggested, but that becomes stateful. The better way seems to be to have short-lived tokens and an auto-renewal mechaism. I haven't it solved it yet in my app, but I saved these links to study: https://deniapps.com/blog/jwt-token-auto-renew-auto-logout & https://www.npmjs.com/package/@w3lcome/feathers-refresh-token?activeTab=readme