IdeaWell

Project ideas from Hacker News discussions.

Stop Using JWTs

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

1️⃣ JWTs are ill‑suited for browser‑based user sessions

"Necessary qualifier: for browser‑based user sessions." — solatic

2️⃣ Insecure defaults & library complexity have caused real exploits

"There were plenty of libraries accepting the \"none\" algorithm [...] allowing attackers to forge tokens by using a public key as a shared secret." — RagingCactus

3️⃣ JWTs have legitimate uses for service‑to‑service / machine‑to‑machine tokens

"Plenty of good uses for JWTs for service‑to‑service communication." — solatic

4️⃣ Revocation is non‑trivial; the spec is viewed skeptically

"The JWT specification itself is not trusted by security experts." — tptacek

🚀 Project Ideas

JWT Revocation‑as‑a‑Service

Summary

  • Provides a lightweight API to manage JWT revocation without maintaining large per‑user session stores.
  • Eliminates the “can't invalidate JWTs” pain point for API‑centric applications.

Details| Key | Value |

|-----|-------| | Target Audience | Backend engineers using JWT for API authentication | | Core Feature | Managed revocation list with Bloom‑filter fast checks and sign‑out endpoints | | Tech Stack | Node.js, Redis, Bloom filter library, Docker, OpenAPI spec | | Difficulty | Medium | | Monetization | Revenue-ready: $0.01 per token revocation |

Notes

  • HN commenters repeatedly cited the need to “revoke individual JWTs” and the difficulty of doing it at scale.
  • Solves the exact pain of scaling revocation lists for globally distributed services while staying stateless for the majority of requests.

Stateless Session Manager with Auto‑Revoke

Summary

  • Offers an opaque session token that automatically revokes on logout by updating a per‑user “minimum_iat” field.
  • Provides a simple UI for “Sign out from all devices” without extra database queries.

Details

Key Value
Target Audience Full‑stack developers building web apps that need quick logout support
Core Feature Automatic revocation via timestamp check, no separate revocation list
Tech Stack Python FastAPI, PostgreSQL, JWT library, React admin UI, Docker
Difficulty Low
Monetization Hobby

Notes

  • Directly addresses the “sign‑out from all devices” discussion where users want a single action to invalidate all JWTs.
  • Simple to adopt, low overhead, and fits the “revocation list is tiny” argument from the thread.

JWT Refresh Orchestration Platform

Summary

  • Central service that issues short‑lived JWTs and handles automatic refresh/rotation for microservice meshes.
  • Reduces the operational burden of managing multiple refresh endpoints across services.

Details

Key Value
Target Audience Platform engineers managing polyglot microservice architectures
Core Feature Unified token issuance, rotation, and revocation with client‑side SDK
Tech Stack Go, gRPC, etcd for state, OpenTelemetry tracing, Kubernetes operators
Difficulty Medium
Monetization Revenue-ready: $0.05 per 1k refreshes

Notes

  • Responds to the need for “short‑lived JWTs” and “refresh model” mentioned in multiple comments.
  • Provides a reusable component that avoids each service rolling its own refresh logic.

Macaroon‑Based Permission Attenuator

Summary

  • A client‑side library that creates attenuated tokens (Macaroons) with embedded scope restrictions.
  • Enables fine‑grained delegation without round‑trips to an auth server.

Details

Key Value
Target Audience SaaS platforms dealing with third‑party agents and sub‑services
Core Feature Attenuation and confinement capabilities baked into token format
Tech Stack Rust (for performance), libmacaroon bindings, WebAssembly for browser use, Docker
Difficulty High
Monetization Revenue-ready: $29/month per application

Notes

  • Directly tackles the “delegate permissions without contacting the auth server” conversation.
  • Offers a practical path to the “Macaroons for agentic workflows” idea that many commenters expressed interest in.

Read Later