I would like to hear your opinion about how to invalidate a token, the 2 options we have so far: 1 query the db on every request and 2 cache for some minutes the db data, seems both don't fit well in a modern web development
Tradeoff: You can't implement individual token revocation, but you can easily implement a "Logout on all devices" system. You have a timestamp with a "minimum issued at" attached to each identity, and if that identity (user) choses to "logout from all devices", you set the timestamp to the current time. Upon validating a token you only make sure the issued-at (iat) is after your "minimum issued at".
I think it is a real good trade-off, as in case of a security breach you have an easy way to mitigate leaked tokens. The downside is, your user will have to re-login all devices. If you do not want to burden your users with the login on all devices, you should ask your self how often you do have security breaches and leaked tokens, might be you have others issues going on.
