The short term tokens section is weird.

> If you do need a short-lived, signed token for something, there is a better spec called PASETO which is designed to be secure

Suggesting to non security people (like myself) something for auth that isn't a mainstream idea seems like a bad idea? Not to mention that it doesn't refer any reasons why it's better