It was a very conscious decision on our end to not follow the JWT spec here.. cause if we did, we thought it would be very easy for people to misuse the access token as a JWT and send it to third party services (like Hasura which uses JWTs for auth)...