JWT is a scam and your app doesn't need it
Summary
This article argues that JWT is often unnecessary for web apps and APIs, highlighting issues like inability to revoke tokens, per-request verification costs, and added complexity. It advocates migrating to opaque tokens and server-side sessions with a Redis-backed store, and provides practical guidance for first-party apps and APIs. The piece offers a concrete alternative mindset for SMB IT and software teams evaluating authentication strategies.