30:I[28135,["/_next/static/chunks/b09d5057b16f7e4c.js","/_next/static/chunks/442a64f8e01a213b.js","/_next/static/chunks/1cc55bceb917223b.js","/_next/static/chunks/bf1076f1581d620f.js","/_next/static/chunks/9a53f1bc2c058020.js","/_next/static/chunks/d56a61f7c303d14c.js","/_next/static/chunks/34f09ad5e0163f14.js","/_next/static/chunks/2a86dd17eba0fb63.js","/_next/static/chunks/b45f7a70809aede9.js","/_next/static/chunks/91b43ee62ae338ce.js","/_next/static/chunks/a3cfd503ad9a6661.js","/_next/static/chunks/d43fa2c261a15769.js","/_next/static/chunks/6826dffb999e18eb.js"],"CommentsFeed"] 31:T4fd,

Good question and one that trips up a lot of teams early on.

A few things that actually matter in production:

JWT is fine, but don't treat it as a session. Keep expiry short, 15 minutes is a common baseline, though your use case might call for less. Refresh tokens should live in httpOnly cookies, not localStorage. That one mistake alone accounts for a huge number of auth vulnerabilities in production apps.

Sessions still make sense for server-rendered apps, simpler to revoke, easier to manage. JWT shines more in stateless or API first setups. Pick based on your architecture, not the hype.

OAuth is the right call if you're dealing with third-party integrations. Don't roll your own if you don't have to. The surface area for mistakes is too large.

On the backend, never log tokens. Ever. It sounds obvious until you're debugging a prod issue at midnight and someone adds a catch-all logger.

The common mistake I see most is teams' focus on the happy path and forgetting token revocation. What happens when a user logs out? When a token is compromised? Having a clear invalidation strategy from day one saves a lot of pain later.

Start simple, but think about rotation and revocation before you go live, not after.

Riddhesh

About

Available for

Riddhesh's blogs

Search Hashnode

Riddhesh

About

Available for

Riddhesh's blogs

Comments