That is true. The real world is dirty and messy:

- supporting public LAMP apps

- database servers that have public IP addresses that are barely filtered

- boxes not getting updates

- under-secured Linux boxes with almost every option recompiled to on

- chmod 777 developers

- substituting signatures of checksums for signatures of data

- not using HMAC and opening themselves up to length-extension and chosen plaintext attacks

- storing SSL/SSH private keys unencrypted on unencrypted laptops

- downloading HR data to a laptop and leaving it

I actually was fired once from a big name university in the SF Bay Area for refusing to haphazardly ruin the network security of a credit card processing private campus network to facilitate a new vendor remoting into terminals.

Integrity through awareness/caution, processes and standard components.

Bringing in a bunch of random dependencies, regardless of license or support status, is inviting all sorts of gaping attack surfaces.

Author here. As a matter of fact, the world has already settled on JWT. Paseto is dead in the water and will never gain any traction.

Every single company has no choice but to support JWT in some capacity. Whenever one has to use social auth (Google/Facebook/twitter), or Microsoft products (ADFS/Office365), or third party authentication solutions (Okta/auth0), they're de facto dealing with OpenID Connect + JWT (or SAML but that's a different topic).

No, I was speaking even more generally. There are thousands of mainframes still running COBOL that process trillions/billions of dollars of transactions per day. There are obscure software packages and programming languages you've never heard of doing many important, niche tasks. So no, popularity will never equal value. There is no wisdom in a mob. The. End.

Give me a few months, then. :P

If they agree it's a good idea, it should pick up quickly.