JSON web tokens (JWTs) are great — they are easy to work with and stateless, requiring less communication with a centralized authentication server. However, when incorrectly configured or misused, JWTs can lead to broken object-level authorization or broken function-level authorization vulnerabilities.
JWTs are commonly used as access tokens and ID tokens in OAuth and OpenID Connect flows.
JWTs are by-value tokens containing data intended for the API developers so that APIs can decode and validate the token.
My recommendations when signing JWTs are the following: To avoid duplicating tokens, add a random token ID in the jti claim.