[idoubtit]

That's precisely the use case for JWT I recently had to work with, where cookies are irrelevant.

The web server gets a token from the API server, then prepares a few JSON messages that the web client will send asynchronously with JS. Since each message content is signed, the web client can't tamper with what is sent to the API. JWT was perfect for this 3-tiers messaging.

[Spivak]

I mean is all this complexity really worth "I can send data to an untrusted client so that it can later send it back to me?" compared to just storing that data somewhere like Redis?

[Arnt]

Then you have to provide a consistent view of the database across all server nodes, and the database updates need to propagate to all of your servers more quickly than the clients can issue requests. How complex is JWT compared to that?

[Scarblac]

He never said "back to me". Back to somewhere. That may or may not know that Redis exists.