Not for obscuring information: anyone can decode the token and see the data
Can’t be changed, because there is a signature generated with a secret. So the token can describe the user’s permission, and they can’t grant themselves more
Have to be fast, but that means they can be brute-forced