I wrote this because I kept reading “don’t use JWT” and getting pushback with “so what should we use instead?” Hopefully now I can point to this.<p>I hope the idea of “single purpose single implementation JWT library” catches on more widely. It would really be much better as just HMAC-SHA256.