[zip1234]

My big issue with JWTs: securing images. With cookies, a browser attaches the cookie on the image request. With JWT, a browser does not send it with the request. Cookies are far easier in this case.

[gizzlon]

> With JWT, a browser does not send it with the request

Sure it does, just put the JWT in the cookie ;)

[Edd314159]

JWTs are small enough that they can fit in a URL most of the time. So there's always that option.

[TheAceOfHearts]

I believe it is generally considered unwise to attach your authentication token to the URL, as it's highly likely to end up in a bunch of access logs.

[imauld]

If the token is only good for one use or for a short period of time (minutes not hours) it's probably fine. I've used them in URL's for invite links. One time use that expire after a short amount of time. Probably not perfect for high security applications like banks or health care but for most applications it's fine.