I have investigated the issue and I can confirm that the conclusion from Ali Ok in this comment: https://github.com/aerogear/apollo-voyager-server/pull/4#issuecomment-446956082 is correct.

JWT tokens encode the user permissions when they are generated. If the permissions are changed, the previous tokens that contain the old information should be invalidated manually, otherwise there is no way for the api server to know that the permissions are invalid anymore. That's why we are having the problem as described in the description.

However, this shouldn't be a big issue if we do the following in our client app:

1. Set the token expiry date to be a relatively short one, and
2. Always refresh the token before making a request to the backend server.

This way we will make sure the tokens are updated more frequently and we shouldn't see this problem at all. Reference: https://stackoverflow.com/questions/37507714/invalidating-client-side-jwt-session/37520125#37520125.

cc Dara Hayes Stephen Coady Wojciech Trocki Daniel Passos