You can offload authentication to another server and then just use the jwt. Jwt are great in that you can read them transparently and guarantee that they were signed by whatever you trust. It's a bit roll your own but it works well and is very flexible.
CouchDB/PouchDB has very clunky auth so IMO it's better to roll your own auth and either use a reverse proxy with a JWT or else hide the DB behind an API service.