Remote vs local verification of access token

Hi all, I’m new to Okta and looking for some guidance. According to this doc, it seems Okta supports both local and remote verification methods. With RS256 public key i can verify the token, which is cool. But to check against revocations, i will need to call introspection url which is the remote method.
In a Microservices-backed high throughput system, is there a best practice to around using this remote method? Despite the network latency, Is okta able to handle if we do this for every API request?
or are we supposed to use a hybrid method where we only do remote introspection periodically while having the public key based local verification as the default option?

appreciate some guidance. thank you.

Hi there. I’m going to paste this here as a general answer to local vs remote validation:

In terms of best practice, remote validation on every API call would be the most secure, but this is not feasible or realistic for a lot of customers. Depending on how much traffic your site gets, you could be hitting rate limits if you rely fully on remote token validation.

1 Like