So we use 2 tokens to maintain a session. An access token (a JWT), and a rotating refresh token (not a jwt). Together, these mitigate many session related attacks and also can detect token theft.