[shakna]

> Slightly OT but why should I choose a JWT over creating some opaque token (random bytes) and storing that in a database mapping it to a user's ID?

To avoid the database lookup. Often you might want to hold some state, without the latency.

JWT is about your server being able to be stateless, whilst the client is stateful, which can speed up some... Irritating... Places of performance problems.

[dgellow]

But you then lose the ability to revoke a token on the backend, given that requires a DB lookup. Or you have very short lived token, meaning that you don’t have real benefits versus an opaque token in DB.

IMHO JWTs only make sense in some constrained contexts, such as:

1. You want a report, click on “generate”

2. The processing starts, you receive a token to access the resource

3. Once the file is created you get can access it by using the token previously received

In those kind of short term and limited use cases they can make things a bit nicer as the “report generation service” only need to check the token.

But in practice JWTs are often used used as a general authentication/authorization mechanism, and that makes little sense (and brings a lot of overhead).