Is most of this specific to JWT and its format? Meaning if my token consists of a stateless "id" and an authenticated hash of it appended, and I have it passed as an HTTP auth bearer header, am I good? Assumptions being my authed hash algo is acceptable, my "id" value embeds a creation time that I expire in a few hours, and nothing can be gleaned from the "id" itself.

> I really ought to just suck it up and write a blog post.

Yes please!