If the secret is compromised you must change it and distribute that change to each of your nodes.

Hosting providers with clustering/scaling usually allow you to store secrets in their service to make distributing these secrets easy and reliable.

I guess the storage requirement would be lower, but you still require a database.

The biggest appeal of JWT for me was to not use a database at all for sessions.

This is primarily a long comment supporting and building on the answer by @mattway Given: Some of the other proposed solutions on this page advocate hitting the datastore on every request.

If you hit the main datastore to validate every authentication request, then I see less reason to use JWT instead of other established token authentication mechanisms.

We are using redis for in-memory object storage, and we could easily use this for case #2, and then the latency would go WAY down.

This coding horror post offers some advice: Keep session bearing cookies (or tokens) short but make it invisible to the user - which appears to be in line with #3.These approaches allow the server to continue authenticating requests without per-request DB accesses.The ideas posted above are good, but a very simple and easy way to invalidate all the existing JWTs is simply to change the secret.In terms of similarities/differences with regards to attacks using tokens, this post addresses the question: Excellent approach.My gut would be to do a combination of all 3, and/or, request a new token after every "n" requests (as opposed to a timer).For a new project I'm working on, I'm thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user's browser) to a token-based session approach (no key-value store) using JSON Web Tokens (jwt).