🚀JUST SHIPPED:
Next.js v16.2.0-canary.45: CI tweaks, ship happensv16.2.0-canary.45Next.js v16.2.0-canary.43: Parallel Routes Fixed, Turbopack Levelled Upv16.2.0-canary.43Next.js 16.2.0-canary.42: Icons, Turbopack Cleanup, Debug Prerenderv16.2.0-canary.42Svelte 5.51.0: TrustedTypes Support Shippedsvelte@5.51.0svelte@5.50.3: XHTML compliance and effect fixessvelte@5.50.3Vite v8.0.0-beta.14: Still Cookingv8.0.0-beta.14plugin-legacy@8.0.0-beta.3 shipped, IE11 support still fireplugin-legacy@8.0.0-beta.3svelte@5.50.2: Select bindings stop melting downsvelte@5.50.2
🔥 Extra Spicy

Stop Using JWTs for Sessions

By Jordan Park
## The JWT Session Antipattern Every month, I see another startup storing sessions in JWTs. Every month, I sigh. ### The Appeal - Stateless! No database calls! - Scales infinitely! - So elegant! ### The Reality **You cannot invalidate them.** User logs out? JWT still valid. User gets hacked? JWT still valid. User changes password? JWT still valid. "But short expiration times!" you say. So now your users re-authenticate every 15 minutes. Great UX. "But refresh tokens!" Congratulations, you have reinvented sessions with extra steps. ### When JWTs Actually Make Sense - Service-to-service authentication - Short-lived authorization grants - Signed claims that need verification without database calls - SSO tokens ### What To Use Instead Session tokens in a fast database: - Redis (classic) - PostgreSQL with proper indexes - Cloudflare KV - Even SQLite on a single server One database call per request is fine. Your database can handle it. I promise. ### The Bottom Line JWTs are a tool. Sessions are a use case. Matching the wrong tool to the use case creates pain.

🔥 MORE HOT TAKES