JWT should not be used

[JimDabell]

Migrate to more modern paradigms such as using oauth2 and JWT for token acquisition.

The problems with JWT are well documented. Paseto is a replacement for JWT without these problems.

[jwag956]

Thanks for the links. I completely agree that JWT shouldn't be used for browser based applications. I have added to the Flask-Security documentation some notes about that - sessions are easier, more secure etc. The idea for JWT was to replace the tokens used for communicating application to application (such as in a micro-service or scripting environment) where JWTs can have all the authn and authz information embedded in it so that no DB calls are needed can be a nice performance and ease of administration win.

I will look more into Paseto - hadn't seen that before.