I disagree. Just because a subpar implementation is "winning" thanks to cargo-cult developers doesn't mean it's time to put up with mediocrity especially in a security context where a failure can be disastrous.<p>If you have a business case for JWTs, fine, take on the extra complexity and implement JWTs properly.<p>If you don't (and as the author points out, the majority of implementations don't need them), push back and do it properly using a simpler system, rather than implement the complexity just to then abstract it away.