honestly, this all makes it sound like JWTs are horrible

except for the stateless authorization thing (which no one uses, everybody ends up calling the mother service anyway because they are unable to verify the signature by themselves and they don't even know the pubkey of the mother service either, that is not made available nor clear anywhere) everything else is just worse for all sides