All Auth0-issued JWTs have JSON Web Signatures (JWSs), meaning they are signed rather than encrypted. A JWS represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures.
Once issued, access tokens and ID tokens cannot be revoked in the same way as cookies with session IDs for server-side sessions.
As a result, tokens should be issued for relatively short periods, and then refreshed periodically if the user remains active.
Updated 8 months ago