Or, maybe just tell them the JWT they’ve got is expired, and ask them yes or no if they want the new (current) price instead, and update it transparently if they say yes.

Based on this, it seems like you’re suggesting to move the logic closer to the frontend and leave the auto-refetching logic out of the backend?

The more I look at the responses, the more I feel this is a front-end problem to be solved rather than the backend’s.

I think the idea was that if they managed to get the private key, we have away bigger problems on our hands than them submitting fraudulent orders. Even with server-side tokens, the same could happen if someone get access to your machine.

Actually, we are controlling both ends. But the issue is that frontend have rather limited bandwidth most of the time (sadly the truth is that despite that your own team wants to make things clean, other teams may not have the same stance).

I think the idea was that as long as it is within 5 min, our service can be certain that the price shouldn’t change and thus we can save the computation cost of having to compute the price.

It also is a user requirement, cause within that 5 min, even if the price is supposed to be changed, we will still use the price in the JWT.

What are the alternatives to a JWT. I know it is a bit bloated and we could just use the HS256 signature itself, but that doesn’t really change the core problem of expiry vs auto-refetch

Oh, ticks are rare in my region, that’s why I have no prior experience with them.

I was thinking in the context of us slapping the mosquito would be equivalent to slamming a thumbtack into your skin which could increase the damage dealt and penetration depth.