JWT has a design problem that most developers don't think about until it bites them. Once you issue a JWT, you can't take it back. The token is valid until it expires. There's no built-in mechanism to say "this token is no longer valid, reject it." The signature is cryptographically correct, the expiry hasn't passed — and yet you need it to stop working right now. This isn't a bug. It's a deliberate tradeoff in JWT's stateless design. But it's a tradeoff with real consequences. The scenarios where this actually hurts User logs out. The client discards the token, but the token is still cryptographically valid. If someone intercepted it — through a compromised device, a browser extension, a network log — they can still use it until it expires. You have no way to stop them. Order cancelled. You signed a payment intent with a 5-minute expiry. The user cancels before paying, but the token is still valid for the next 4 minutes and 50 seconds. Anyone holding that token can still attempt to complete the transaction.…