[unscaled]

Interesting, I didn't realize that. The JWT ecosystem (or JOSE ecosystem to be exact) offers a lot of other machinery beyond just having a key ID for key rotation like JWK and OpenID Connect discovery, but there's nothing preventing you from using the same discovery mechanisms with Macaroons. I'm using these mechanisms already with a variety of other non-JWT implementations.

[hdhzy]

Oh yes, exactly, JWT has a stronger ecosystem. Sometimes I feel like they are aimed at different problems, JWT to replace opaque tokens with stateless ones (but if you want instant revocation it becomes a problem) and Macaroons for delegated access. JWTs can be easily used to replace session tokens while Macaroons work best when you've got your entire architecture designed with them in mind.

Just recently I was thinking that it would be nice if my DNS provider used Macaroons for API access. If I want to limit Let's Encrypt's client's access to just _acme-challenge.example.com I could take the Macaroon from DNS provider that has complete access and limit it to "_acme-challenge" and TXT records only. What is nice with Macaroons is that you can derive sub-tokens offline, just from the master token. Wrapping JWTs in JWTs, while possible, leaves one with the base64-in-base64 matrioshka problem.