SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

We have a few different backend services; I'd prefer not to implement SuperTokens in each one.

Is there a best practice on how to manage authn in a such a multi-service environment? E.g. should our user service mint short-lived JWTs, once identity has been established?

I just found these docs on JWTs: https://supertokens.com/docs/thirdpartypasswordless/common-customizations/sessions/with-jwt/enabling-jwts

I'd still be interested to hear why any pros and cons that might not be obvious

using JWTs in this case is the right thing to do. The only con is that you will be exposing the JWT on the frontend storage so little less secure. But that's OK since these JWTs are short lived anyway