[mewpmewp2]

> I would not try to cram JWT-s into cookies they are too big, but maybe these days nobody cares about the extra bytes

Why does the length matter compared to when they are sent with cookies or with a special header?

[mort96]

Cookies are sent with every request, including to every image or script file or style sheet etc etc. When sent as a separate header, you only set it to API requests.

[mewpmewp2]

You could use the Path prefix to only send to API endpoints where request has to be authenticated?

Or many usually have separate domain/subdomain names for API and static content in the first place.

I think having a separate prefix/subdomain would be generally good practice for defining scope which should be authed as well.

[oopsthrowpass]

Yeah, fair point, maybe could get some wins if serving assets from same domain, but probably should use a CDN for that on different domain