JWT inside of a cookie is fine. This gist is unnecessarily pedantic and seems oblivious to the fact that 99% of JWT impls are indeed just stuffing it inside a cookie.

But yes, short life times with frequent renewals is necessary; that's obvious though. And same applies to any other auth tech.