I don't think storing permissions in the JWT is really a good idea, and it might makes the token size a lot larger. I am not even sure if I should store the user_id in the JWT. I just implemented this on my site api and stuck the persistence token in the JWT, that way the token can be denied if you delete the persistence token, and it's linked the the user and the users permissions... but it still requires an additional database lookup.

What if you issue the JWT with role permissions embedded, and the user is rejected from the role before the JWT expires. Then they can still execute actions they are no longer allowed to? It just seems like it could end badly...

Maybe the author meant permissions such as 'read-only' or 'read-write' that place additional restrictions on a token.

Anything else would cause a lot of problems. Role permissions might change while a token is still active.

That is basically it: Additional restriction applied to the token.

I was actually referencing this article: https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-a...

Thanks for clearing it up.