May 23, 2026
Signed, sealed, overcomplicated
JWT is a scam and your app doesn't need it
Developer declares login tokens a scam — commenters instantly start a civil war
TLDR: The article says a trendy way apps handle logins is usually more trouble than it's worth, because it makes simple sign-in harder and weaker to control. Commenters immediately split into camps: some cheered the takedown, while others said it’s still essential for giant multi-app systems.
A fresh programmer meltdown has hit the internet, and this one comes with receipts. The author of "JWT is a scam and your app doesn't need it" basically says a popular login method has been wildly oversold for years. In plain English: instead of using a simple server-kept login pass, many apps use a portable signed pass that sounds modern and clever — until you try to log someone out, block a stolen pass, or stop your app from turning into a maze of workarounds. The writer's big accusation is brutal: this system promises freedom from server storage, then quietly drags you right back into storing data anyway.
And oh, the comments did not keep calm. Some readers fully embraced the rant, with one person jokingly asking why the author had been “pretending” it was fine in the first place — a perfect little drive-by that turned the opening line into meme bait. Others pushed back hard, saying this tool is still useful when lots of separate apps need one shared sign-in system. That split became the real popcorn moment: is this thing useless bloat for normal apps, or a lifesaver for sprawling company systems?
Then came the classic internet move: the “actually…” brigade. One commenter insisted short lifetimes and replacement passes solve the problem, while another sarcastically replied that they’d definitely keep checking these signed passes for big outside services like Amazon. Translation: the crowd agrees on one thing only — developers love arguing about login systems almost as much as they love making them complicated.
Key Points
- •The article says JWT’s main value proposition is stateless authentication through signature verification without a database lookup.
- •The article argues JWTs cannot be invalidated before expiration unless the server maintains a revocation list and checks it on every request.
- •The article states that long-lived JWTs leave compromised accounts exposed until token expiration if no revocation mechanism is used.
- •The article describes refresh-token architectures as adding substantial client and server complexity while still requiring server-side state.
- •The article recommends opaque bearer tokens stored server-side in systems such as Redis and Postgres as a simpler alternative for typical apps.