I Thought JWTs Were Stateless. Turns Out Logout Made Me Build a Stateful Layer Anyway.

This is Part 3 of a 4-part series on building AuthShield - a production-ready standalone authentication microservice. This post covers JWT design, the logout problem, Redis blacklisting, the two-token strategy, and refresh token rotation with reuse detection. Part 1 is here: Why I Stopped Writing Auth Code for Every Project and Built AuthShield Part 2 is here: I Thought OAuth Was Just Adding a Google Button. Turns Out It's a CSRF Problem Disguised as a Feature The selling point of JWTs is that they are stateless. The server issues a token, signs it, and forgets about it. Every subsequent request includes the token. The server verifies the signature, reads the claims, and knows everything it needs - who the user is, what roles they have, when the token expires. No database lookup. No session store. No shared state between instances. For an auth microservice like AuthShield that needs to work across multiple downstream services, this is exactly the right foundation. Any service with the