So there are two things to keep in mind: - Do not store any sensitive info in the JWT, like the user's phone number etc.. If that must be tied to a session, store it in session data (in the db) - Keep JWTs short lived.