chenkie
commented
8 years ago The user's password shouldn't be a part of the JWT payload and generally you just need some identifier for the user. If passwords are properly stored (hashed) then they wouldn't be useful as part of the payload anyway :)
While signing a token with jsonwebtoken you guys omitted the password. Is there any specific reason to do so(i.e security concern)?