Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

<@U04UQ68083H> jwt tokens doesn't need database lookups and hence latency is better. doesn't it have to use jwt decoder in auth server

Yes, you're correct. JWT tokens are self-contained and do not require a database lookup to validate. Instead, JWTs contain a signature that can be verified to ensure that the token has not been tampered with. This process involves decoding the JWT and verifying the signature using the public key of the Authorization Server. This process is typically faster than a database lookup, hence the latency is better for JWT tokens compared to opaque tokens.  However, it's worth noting that while JWTs provide better latency, they have a delay between being marked as invalid and actually becoming invalid, which can be a problem in some cases. On the other hand, opaque tokens can be immediately revoked by deleting them from the database.  For more information, you can refer to the [Ory documentation on Opaque and JWT access tokens](<https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#opaque-access-tokens-versus-jwt>).