Jwt stale token revoke issue

We have a Django-based microservices application that uses JWT for authentication. To avoid calling the Customer Service on every request, our JWT access token contains user metadata such as customerId, username, email, and phoneNumber.

When a user updates their profile (e.g., changes their email or phone number) from one session, we immediately issue a new JWT containing the updated information for that session. However, all of the user's other active sessions continue using their existing JWTs, which now contain stale data until those tokens expire.

Reducing the access token expiry (e.g., to 15 minutes) only reduces the duration of the inconsistency—it doesn't eliminate it. Since JWTs are stateless, we also can't invalidate or update all of the user's existing tokens without introducing server-side state.

What is the recommended approach to handle this scenario in a microservices architecture?

Вернуться на верх