• Not for obscuring information: anyone can decode the token and see the data
  • Can’t be changed, because there is a signature generated with a secret. So the token can describe the user’s permission, and they can’t grant themselves more
  • Have to be fast, but that means they can be brute-forced