SYS ARCHITECTLearning Platform
Settings
Theory

Opaque Tokens vs. JWT

πŸ“‹ Overview

In modern authentication, the choice between Opaque Tokens and JSON Web Tokens (JWT) is a fundamental architectural decision. Opaque tokens are "By-Reference"β€”they are random strings that point to data stored on a server. JWTs are "By-Value"β€”they are self-contained, digitally signed objects that carry their own data. This choice dictates how your services validate identity and how you handle session revocation.


πŸ—οΈ Core Principles & Characteristics

Opaque Tokens (Reference Tokens)

  • Server-Side State: The server stores the token's meaning (User ID, Scopes) in a database or cache (Redis).
  • Introspection: To validate the token, the Resource Server must make a network call back to the Authorization Server (/introspect).
  • Privacy: The token itself contains zero information; even if intercepted, no user data is exposed.

JWT (Value Tokens)

  • Statelessness: All data (claims) is encoded into the token itself.
  • Local Validation: The Resource Server validates the token's signature using a public key (JWKS) without making any network calls.
  • Standardized Format: Header (Alg), Payload (Data), and Signature.

βš–οΈ Trade-offs: Pros & Cons

Opaque Tokens

  • Pros: Instant Revocation (just delete from DB); high security (no PII in token); small size.
  • Cons: Higher Latency (DB lookup per request); Auth Server becomes a bottleneck and single point of failure.

JWT

  • Pros: Extremely Scalable (perfect for microservices); low latency (no network calls for validation); stateless.
  • Cons: Hard to Revoke (valid until it expires); larger size (bloats HTTP headers); sensitive data shouldn't be in the payload.

🌍 Real-World Implementation

  • High-Security Systems (Banking): Often prefer Opaque Tokens because the ability to "Kill a Session" instantly across all devices is a hard requirement.
  • Large-Scale Microservices (Netflix/Google): Use JWTs to avoid millions of introspection calls that would crush their identity services.
  • Hybrid Approach (Phantom Tokens): A common "Best Practice." The client gets an Opaque Token (at the edge/gateway), which the Gateway then swaps for a JWT to pass to internal microservices.

πŸ’‘ Interview "Gotchas" & Tips

  • The Revocation Problem: If asked how to revoke a JWT, mention: 1. Keeping TTLs short (5 mins). 2. Using a "Deny List" in Redis (though this re-introduces state). 3. Refresh Token rotation.
  • Security: Remind the interviewer that JWTs are encoded, not encrypted. Anyone can read the payload at jwt.io. Never store passwords or SSNs in a JWT.
  • Introspection Bottleneck: If a system uses Opaque tokens and experiences a 500ms delay, the culprit is likely the introspection network call.

πŸ“ Suggested Architecture Primitives

  • Redis: The standard store for Opaque tokens or JWT Deny Lists.
  • JWKS Endpoint: The URL where an Auth Server publishes its public keys for JWT validation.
  • BFF (Backend for Frontend): A pattern where the backend manages the tokens, keeping them out of the browser's "Local Storage" (XSS risk).
  • Phantom Token Pattern: The industry standard for combining Opaque security with JWT performance.
Canvas