Introduction
JSON Web Tokens (JWT) have become the default for many developers when it comes to stateless authentication. Their ability to encode and transport user claims across systems makes them attractive for modern API-based applications. But despite their popularity, JWTs are not without flaws—misuse, bloat, poor revocation support, and cryptographic misuse are just a few of the reasons developers have started to explore alternatives.
In this post, we'll dive into the reasons why you might want to avoid JWT in certain cases and highlight some robust alternatives that may offer better security, scalability, or simplicity, depending on your use case. Whether you’re building an enterprise-grade platform or a lightweight API, understanding your options is crucial to implementing secure and maintainable authentication.
The Limitations of JWT: Why Look Elsewhere?
Before exploring alternatives, it’s important to understand why JWTs can become problematic. JWTs often carry a payload that includes user information, roles, and expiry claims—all of which are base64 encoded but not encrypted. This can lead to misuse where developers mistakenly assume JWTs are safe to store sensitive data in.
Another issue is token revocation. Since JWTs are stateless, once issued, they’re valid until expiry unless you track them in a token blacklist—which defeats the purpose of statelessness. If a token is compromised, there's no way to revoke it unless you’re willing to sacrifice scalability and maintain a revocation store.
Token size is also an often-overlooked problem. Embedding large user claims can bloat the token, increasing request sizes. And let’s not forget signature algorithm confusion, where servers inadvertently accept tokens signed with a weak or none algorithm, especially if verification logic is improperly implemented.
Opaque Tokens: Simpler, Safer Alternatives
Opaque tokens are essentially random strings issued by a server. They carry no meaningful information to the client or third parties, unlike JWTs. This simplicity removes many security pitfalls. The backend is responsible for storing the mapping between the token and its associated session or user claims.
These tokens are ideal when the server controls both the authentication and resource endpoints. The benefit is full control over token lifecycle, including revocation, rotation, and session invalidation.
Here’s a TypeScript snippet for generating opaque tokens using Node.js and crypto:
import crypto from 'crypto';
function generateOpaqueToken(): string {
return crypto.randomBytes(32).toString('hex');
}
The backend would store this token in a database along with user session data. When the client presents the token, the server looks it up and checks validity. This allows for logout, token expiration, and other session management features without bloating the token itself.
PASETO: The Safer Modern Alternative to JWT
PASETO (Platform-Agnostic Security Tokens) is often described as the successor to JWT. It avoids many of JWT’s mistakes by removing ambiguous cryptographic choices and enforcing best practices. There’s no option to use weak algorithms like none, and it supports both local (symmetric encryption) and public (asymmetric signing) modes.
A key difference is how PASETO handles encryption. While JWTs are often just signed and not encrypted, PASETO makes encrypted payloads a first-class feature. This reduces the risk of leaking sensitive information in the token.
import { V2 } from 'paseto';
import { readFileSync } from 'fs';
async function createPasetoToken() {
const secretKey = readFileSync('./private-key.pem');
return await V2.sign(
{ userId: '1234', role: 'admin' },
secretKey,
{ expiresIn: '1h' }
);
}
PASETO is especially valuable in high-trust systems that need strong guarantees around cryptography and payload confidentiality. It’s not as widely supported as JWT yet, but adoption is growing in the security-conscious ecosystem.
Session-Based Authentication: The Time-Tested Approach
While tokens are great for APIs, traditional cookie-based session authentication is still one of the most secure and straightforward ways to handle user sessions—especially for web apps. Sessions are stored server-side and tied to a session ID sent in an HTTP-only cookie. These cookies are automatically sent with every request by the browser, making client-side management unnecessary.
This approach provides robust protection against token theft via XSS since HTTP-only cookies are not accessible by JavaScript. Plus, sessions can be invalidated server-side at any time, offering built-in revocation.
Here’s how you might set this up in an Express.js app using the express-session package:
import session from 'express-session';
app.use(session({
secret: 'your-secret',
resave: false,
saveUninitialized: true,
cookie: { httpOnly: true, secure: true }
}));
Session authentication scales well for monoliths or when your frontend and backend share the same origin. However, it’s not ideal for mobile apps or distributed systems unless you adopt sticky sessions or centralized session stores like Redis.
Choosing the Right Strategy: JWT vs Alternatives
There’s no silver bullet. Choosing the right token strategy depends on your application’s architecture, trust boundaries, and scalability requirements. JWT is great for stateless APIs where you control both ends and want a compact, verifiable token format. But for apps requiring strong revocation, reduced attack surfaces, or minimal token size, opaque tokens or PASETO might be better.
Use JWT when:
- You need stateless, cross-domain authentication
- You want to avoid session stores
- You have strong cryptographic discipline
Use opaque tokens when:
- You control the full backend and frontend
- You need revocation, rotation, or session management
- Simplicity and predictability are priorities
Use PASETO when:
- You want strong cryptographic defaults
- You need token encryption out of the box
- You aim for a JWT-like API with better safety guarantees
Use sessions when:
- You’re building a traditional web app
- Your app is single-origin or behind a reverse proxy
- You need secure cookie-based workflows
Conclusion
While JWTs have earned their place in modern web development, they're not a one-size-fits-all solution. The rise of alternatives like opaque tokens, PASETO, and session-based authentication reflects the evolving needs of developers aiming for tighter security and better control.
By understanding the trade-offs and implementation patterns of each approach, you can make informed decisions that enhance your application's security posture without sacrificing developer ergonomics. Think critically, evaluate your system's needs, and remember—secure design starts with understanding your tools, not just using them.