tracker1 11 days ago. link 1 point ▲ ▼Like most auth0 articles, the content is specific to their service. That said, using a public/private key jwt for your API services is good practice. As is short-lived tokens with a refresh mechanism in place, and api checks to ensure tokens are actually short-lived. Revocation is harder than ensuring short token lifespans in the first place and negates a lot of the value of JWT.