[maz1b]

1. What if you store the JTI in your database and have the ability to immediately mark them as invalid, thus so that the next user request makes them logged out?

2. Storing just the JWT and things like user id should not be that big of deal for user performance. If you're refering to for example Apple sending massive jwt payloads for their IAP service, then i can see what you mean.

3. A standard has broken algorithms? This is news to me.

4. Don't most apps have databases? I don't see why this is a bad thing.

If JWT in httponly cookies are bad, what do you suggest inplace of it? For companies running multiple mobile + web apps