(no title)

Because people think their app will immediately scale to a billion users and their database is unable to service all those users. (It won't and the database can)

Alternatively, they have drank the microservice kool-aid and think that making a request to an AAA service every time the user wants to do something is just too much overhead (It isn't).

If you have a federated and perhaps also heterogeneous system then "Just use a database" isn't the easy option.

Think about all the people/organisations that emit tokens you trust, or trust tokens you emit. Would they fit in an elevator? A meeting room? A conference venue?

If the code that mints all your JWTs and the code that verifies them are two methods in a class running in the same service and maintained by the same team, that's a sign you probably didn't need JWTs and an opaque token was more likely what you should use.

I remain skeptical that JWTs are a good idea for the general case. People like them because you can do stateless auth, but if your database really can't handle a single PK-based lookup per request, I feel like you have other problems. And as you say, a lot of people end up storing them in a database somewhere anyway.

Opaque token stored in the database is the secure way to go. Don’t use JWT.

The way I've seen it work is with having short lived access tokens and a refresh token, with the refresh token being saved to a database so it can be revoked. I think the benefit over an opaque token is that you have data that can be verified to be true and then passed on to multiple places. E.g passed between microservices

> Slightly OT but why should I choose a JWT over creating some opaque token (random bytes) and storing that in a database mapping it to a user's ID?

To avoid the database lookup. Often you might want to hold some state, without the latency.

JWT is about your server being able to be stateless, whilst the client is stateful, which can speed up some... Irritating... Places of performance problems.