I would set the token expiration to an arbitrarily long amount

@ab320012 I think it is bad practice. In this case hacker will be able use stolen token long time until token expires

Hi @ViTVetal,

this is probably an answer you may not want to read but this is a complex question with no clear answer.

JWT by itself does not solve that problem for you. It provides a token format that you can verify by a given rule set. You should look into OAuth which is based upon JWT. OAuth servers provide an refresh token after the initial authentication to give you an easy way to refresh short lived JWTs. IMHO the JWT expiration should be a short amount of time. At most days but preferable hours or minutes depending on the situation and many other factors.

You may have a look at doorkeeper. https://github.com/doorkeeper-gem/doorkeeper

Another way to use JWT in your app is to integrate OAuth providers like Google/Firebase, Facebook, Twitter, 0Auth, {insert your provider of choice here}, etc.

An article you may want to read: https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3

@excpt Thank you! It is important for me to hear the answer from the owner of repository. I'll look at links