[cogman10]

I feel like this is mixing concepts.

JWTs aren't for transmitting sensitive data or encrypting things. JWTs are about having claims that can't be forged by the client.

So why would you put a JWT in a cookie? To give the end user a set of claims that they can't change, they can only read and give back to the server. Those claims can include things like user id, or session id, or whatever you might imagine.

Now, could you accomplish the same thing with an encrypted cookie? Absolutely. I'm not arguing about what you can or can't do with stuff. But rather again commenters saying "JWT is such and such and forces so and so". It's nothing but a signed set of claims.

[quesera]

JWTs can be encrypted and signed, or just signed (or signed alg: none).

[cogman10]

Ah, didn't realize encryption had made it into the spec.

[P5fRxh5kUvp2th]

stop being snarky, there are RFC's describing JWS and JWE, people just use the term JWT generically and let the context dictate what they're actually referring to.

[cogman10]

You are reading my comment uncharitably.

I did not know that encryption had made it in the JWT spec. My comment was supposed to convey surprise, not some sort of snark or sarcasm. I read the spec after the OP comment and learned something new today.