[Koffiepoeder]

If you start calling other IAM servers to verify the permissions of the user, aren't you throwing away the usefulness and advantages of the JwT woken being a form of stateless auth (isn't the use case of jwt exactly to avoid calling the IAM upon request?) ?

[mswehli]

Well no, JWT tokens are there to validate a call can be made. e.g., that whoever has made the HTTP call to your API server has been allowed to do so by the user. JWT tokens aren't there to tell you what the user themselves are allowed to do. What the user is allowed to do is an entirely different thing and you shouldn't rely on bearer tokens to tell you that.