[dgellow]

But you then lose the ability to revoke a token on the backend, given that requires a DB lookup. Or you have very short lived token, meaning that you don’t have real benefits versus an opaque token in DB.

IMHO JWTs only make sense in some constrained contexts, such as:

1. You want a report, click on “generate”

2. The processing starts, you receive a token to access the resource

3. Once the file is created you get can access it by using the token previously received

In those kind of short term and limited use cases they can make things a bit nicer as the “report generation service” only need to check the token.

But in practice JWTs are often used used as a general authentication/authorization mechanism, and that makes little sense (and brings a lot of overhead).