Using JWT in the context of a session based application looks very alluring at first glance (easy scalability in combination with microservices etc.). But JWT gets rather complicated when you have to ensure maximum one session per user in business applications or you need a mechanism to revoke a JWT.<p>For a detailed discussion see
<a href="https://news.ycombinator.com/item?id=18353874" rel="nofollow">https://news.ycombinator.com/item?id=18353874</a>