[akira2501]

> I want to create a session token that I _never_ want to revalidate against a database

There's the middle ground as well with a long lived authentication or refresh token and a short lived authorization token.

> I want to include role (or other) information directly in the token for the sake of convenience

Once I started seriously developing cloud solutions, this became indispensable. It's not just convenient, it directly reduces expenses.

[MrJohz]

A refresh/access token flow definitely can help by reducing the number of long-lived tokens floating around, but it's not really related to the type of token you use. The access token could be a JWT token, but it could also just be an opaque random string, or anything else that's convenient to pass around. It just so happens that reducing the longevity of tokens is useful if you don't want to revalidate tokens against a database.

JWT tokens definitely have their place, I don't want to imply that they're useless. They're a tool with tradeoffs like every other tool we use. But I've seen a lot of projects using them without understanding those tradeoffs, and then creating either very inefficient, overly complex, or subtly insecure applications as a result.

[akajla]

> I want to include role (or other) information directly in the token for the sake of convenience

This works up until a certain point. Once you get past simple RBAC to more fine-grained (resource-based) authz, jwts don't scale: https://medium.com/building-carta/authz-cartas-highly-scalab...