JWT - JSON Web Tokens

https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens

• people can still see the data in a JWT, it doesn't encrypt the DATA, it uses encryption to make sure the person sending it is who they say they are
• if you wanna encrypt the data in your JSON data, use JWE: https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3

what are JWTs useful for?

• they're for speeding up API token authentications.
  • because the tokens are signed, when you authenticate the first time, the token is 'safe'
  • subsequent api calls (even across different APIs in a service, think google cloud APIs) don't need reauthentication, because they are trusted to be 'safe'.
  • but this also means you need to store your JWT properly