From the article:<p>> JWTs (...) can’t be revoked easily and may expose sensitive data if not encrypted.<p>This is not true.<p>Revoking a JWT is as simple as adding the JWT ID to a list of revoked JWTs. If a JWT is valid and its JWT ID is in the revoked list, the JWT is refoked. The tradeoff is that resource servers need to periodically refresh this list.<p>Also, a JWT only leaks sensitive data if you purposely want the JWT to ship sensitive data. Nothing forces you to do that.<p>> Opaque tokens (...) offer better security and revocation control but come with extra overhead and reduced scalability.<p>This is simply wrong. Any security and revocation check you can do with a opaque token, you can do with a JWT as well.<p>Overall the quality of the article is quite poor.