I'd recommend listening (or reading the transcripts) to anyone who's needs or wants to understand more about JWT and other tokens
(And if you're not, check out the other episodes still. That podcast is great, some of the episodes get really deep into the cryptography weeds but if I get trough them I still feel like I learned something :-) thanks for making it)
Tldr client-server is different than server-server, you should think about your use case and what you need from your auth system, but tptacek thought long and hard about each at two different companies and decided on macaroons in both cases. Good to know!
(Just kidding, ish, and though they're quite long they're not too long and I did read; would recommend.)
https://fly.io/blog/api-tokens-a-tedious-survey