<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Jwt on Sauvik Biswas</title>
    <link>https://sauvikbiswas.com/tags/jwt/</link>
    <description>Recent content in Jwt on Sauvik Biswas</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Wed, 17 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://sauvikbiswas.com/tags/jwt/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>JWT Access Tokens: Local Validation Without the Introspection Hop</title>
      <link>https://sauvikbiswas.com/posts/learning-oauth-2-06b/</link>
      <pubDate>Wed, 17 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://sauvikbiswas.com/posts/learning-oauth-2-06b/</guid>
      <description>&lt;h2 class=&#34;heading&#34; id=&#34;why-a-second-validation-mode&#34;&gt;&#xA;  Why a second validation mode&#xA;  &lt;a class=&#34;anchor&#34; href=&#34;#why-a-second-validation-mode&#34;&gt;#&lt;/a&gt;&#xA;&lt;/h2&gt;&#xA;&lt;p&gt;&lt;a href=&#34;https://sauvikbiswas.com/posts/learning-oauth-2-06/&#34;&gt;v06&lt;/a&gt; split the authorization server from the resource server and taught the default way a separate resource server trusts a token it never issued: &lt;strong&gt;introspection&lt;/strong&gt; (Mode A). On every &lt;code&gt;GET /api/me&lt;/code&gt;, the resource server sends the opaque Bearer token to &lt;code&gt;POST /introspect&lt;/code&gt; on the auth server and gets back &lt;code&gt;active&lt;/code&gt;, &lt;code&gt;sub&lt;/code&gt;, and &lt;code&gt;exp&lt;/code&gt;.&lt;/p&gt;&#xA;&lt;p&gt;That works, but it has a cost: a network hop to the auth server on every single API call, and a hard dependency — if the auth server is down, &lt;code&gt;/api/me&lt;/code&gt; fails even when the client still holds a perfectly valid token.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
