> You must have some state to handle tokens securely, and if you must have a data store, it's better to just store all the data.

This is quite a loaded statement. Why is it better to store all the data? What if you have a CDN layer that only needs to do routing based on authentication or scope, or other token encoded data?