[sovrin]

Are you going to encrypt these? Plain tokens are easy to decode and manipulate.

https://jwt.io/

[ncodes]

I do not think there is need to encrypt the data as the JWT signature ensures the content cannot be altered successfully.

You will need the private key to successfully alter the token.

Also, the tokens shouldn't contain private information since JWT tokens can easily be decoded.