There isn't any point in the article or video that describes why it is worse than session token in any way. Personally, I think 5 minute expiry is too long and I think 10-30s expiry is the ideal range, so that one page load requires 1 token.

> Sessions need to have longer lifespans than that.

Why is this JWT issue. JWTs generally have refresh token, which are database validated and we need to just refresh once for 100s of calls in 5 minute.

> "stateless"

Yeah this sounds bad and I don't think people do it.

> JWTs which just store a simple session token are inefficient and less flexible than a regular session cookie, and don't gain you any advantage.

Ok, but it is not worse too.

> The JWT specification itself is not trusted by security experts. This should preclude all usage of them for anything related to security and authentication. The original spec specifically made it possible to create fake tokens, and is likely to contain other mistakes. This article delves deeper into the problems with the JWT (family) specification.

What are they even trying to say?