i listen to a few cryptography podcasts and cryptography is an interest of mine[1]. most security engineers agree that JWT has too much of a surface area and takes a lot of care from the implementer that it can lead to security holes[2].
Another reason i like just generating a securiity token when the user logs in is that i can require a join on the table for any query so that its extra secure.
e.g. if fetching "posts" for a "user" and i have 3 tables (users, posts, and user_tokens) i can do an inner join like this (if the `posts` table has `user_id`):
select p.*
from posts p
inner join user_tokens ut using (user_id)
where p.user_id = $1 and ut.token = $2
-- `users` table wasn't needed for this join since am not selecting from it
with JWTs the security happens once when you verify the JWT signature, but then security is less of a focus when making queries, which would complicate queries anyway since you have to make sure the same user who owns the JWT has access to the data (it handles authentication but not authorization). You still need to hit the database anyway for fetching any data so the headless approach for JWTs isn't really saving me much, so I like to just bake in security for the queries.
[1]: I recommend new book "Real World Cryptography" by David Wong
I would very like to never use JWTs again.