This. Totally defeats the purpose of having JWTs if you have to hit the DB or some service to validate the token every time.