[blowski]

> When used properly

That's the whole problem. The majority of the time I've seen of JWTs, they weren't "used properly".

[vbezhenar]

Can you describe typical problems you observed? I'm using JWT but I never gave much thought about it. It seems to work by default.

[blowski]

One of the most common high-impact issues is failing to expire sessions. In one case, the expiration date was set to be a whole year - once a user had a valid JWT, the system would accept it for a whole year, even if the user's account was deactivated on day 2.