Let's stop arguing about JWTs and just fix them

Let's stop arguing about JWTs and just fix them(clerk.dev)

5 points by colinclerk 3 years ago | 2 comments

Nextgrid 3 years ago |

I disagree. Just because a subpar implementation is "winning" thanks to cargo-cult developers doesn't mean it's time to put up with mediocrity especially in a security context where a failure can be disastrous.

If you have a business case for JWTs, fine, take on the extra complexity and implement JWTs properly.

If you don't (and as the author points out, the majority of implementations don't need them), push back and do it properly using a simpler system, rather than implement the complexity just to then abstract it away.

colinclerk 3 years ago | |

I don’t agree that the complex system is mediocre.

I like it because it’s faster and it’s enabling more powerful integrations.

We (Clerk) abstracted away the complexity so it’s just an implementation detail, and think other tools should do the same instead of letting developers trip over the hazards.