A JWT token is composed of three parts: a header, payload, and signature.
The problem is that people can put sensitive info in the payload.
None of it is encrypted, it's only signed with HMAC.
Unless you're keeping track of the tokens, once a token is issued it's valid until it expires, due to it's stateless nature.
You can use a JWT as a Bearer token, but since it's only base64 encoded, you can pull out that payload data.
A truly opaque Bearer token will be meaningless to anything other than your server.
Play with the debugger here to see what I'm talking about: https://jwt.io/
A JWT token is composed of three parts: a header, payload, and signature.
The problem is that people can put sensitive info in the payload.
None of it is encrypted, it's only signed with HMAC.
Unless you're keeping track of the tokens, once a token is issued it's valid until it expires, due to it's stateless nature.
You can use a JWT as a Bearer token, but since it's only base64 encoded, you can pull out that payload data.
A truly opaque Bearer token will be meaningless to anything other than your server.
Play with the debugger here to see what I'm talking about: https://jwt.io/