[arethuza]

So to get the advantages of the JWT approach you really have to trust the content of the tokens you receive - if you start validating everything and scrutinizing the claims made in detail (especially against a database table of issued tokens) you might as well use an opaque bearer token?

[woloski]

Yes, I don't think there is a one-size-fits-all answer. It will depend on your use cases. You can always start small using JWT and move to database backed tokens when you get a better idea of your architecture, use cases and authorization needs. For the user, it will still be opaque and bearer.