The JWT has some extra fluff for the client, but only the Bearer token is used for secure communication. And every call to an API validates the Bearer token with an identity service. There is no automatic security because you have a token. That Bearer token (not the JWT) must clearly be validated and also validated with whatever functionality (Claims) is potentially being requested.
The meta data in the JWT is sort of a short cut to let the front-end make assumptions, but it has no bearing on the actual capabilities. Only a valid Bearer token can determine if a call is secure (authenticated) and has the correct permissions (authorized).
So, you don't need a JWT, but without it, you're still going to need a way to send mundane meta data back to the front-end. This used to be (and still can be) a separate call for "config" or "permissions" data, but why bother. Just create claims in your identity server, mark your API's with those claims and token validation, and you're in great shape.
That’s not meta data. Claims are usually user scopes based on actor definitions. Some users can view, some can edit, some are admins. Claims are often, but not always, about resources.
The meta data in the JWT is sort of a short cut to let the front-end make assumptions, but it has no bearing on the actual capabilities. Only a valid Bearer token can determine if a call is secure (authenticated) and has the correct permissions (authorized).
So, you don't need a JWT, but without it, you're still going to need a way to send mundane meta data back to the front-end. This used to be (and still can be) a separate call for "config" or "permissions" data, but why bother. Just create claims in your identity server, mark your API's with those claims and token validation, and you're in great shape.