Others have also argued that JWT is too complex for the problems most devs are trying to solve. That complexity can lead to more problems especially when coupled with the fact many devs do not fully grasp all the implications of using JWTs.
Or at least that was my impression of the arguments. Sorry if I'm misrepresenting anyone.
One of the biggest issues is revocation, i.e. you can’t. Sure, you can always keep track of JWTs and refuse to accept ones that have been revoked, but congratulations, you’ve just invented session tokens (albeit more complicated).
A slightly more sensible revocation scheme would be to keep a counter attached to the user in the database. For the cost of a single int in your database you can bulk invalidate all the tokens for a specific user: just increment the counter and make sure to not accept tokens with the counter too high or too low.
But yeah at that point you might as well go for session tokens as you need a db request anyways.
