Then you come to realize that JWT is basically pointless except for doing MFA (which you could probably have done with a random token).