Jwt-auth: Is it possible to invalidate all jwt tokens in a system?

I think you can add a custom claim like a flag in payload and check it in middleware

How to invalidate all the existing tokens and logout all the already logged in user

1. Generate a new jwt secret.

php artisan jwt:generate

This will generate a new random key, which will be used to sign your tokens.

1. Update the newly generated key in the .env file

JWT_SECRET=<new_jwt_key>

1. Clear the application configuration and cache

php artisan config:clear
php artisan cache:clear

Regenerating the jwt secret is the nuclear option. Preferably it should be possible to invalidate all tokens, or a subset of user tokens, without generating a new secret.

@Soulriser Can you explain why you call that a "nuclear option"? Are there any consequences with generating a new jwt secret?

Hi @lowerends. Regenerating the secret blows away all tokens, but the questioner asked about invalidating a subset (such as for a specific user or group of users). I don't mean to say it's bad or that there are specific negative consequences, so long as you know all of your users will have their sessions destroyed. It does seem to me, though, that having more programmatic control over token invalidation from within the JWT auth service would be desirable, rather than having to invoke Artisan.

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.