No? They are literally your authentication. They are time limited, but still pretty private.
Done well, they have an audience set for what they authenticate. Which can limit the exposure back to the issuer. But you are supposed to trust that holding the token means you know who the user is.
Done well, they have an audience set for what they authenticate. Which can limit the exposure back to the issuer. But you are supposed to trust that holding the token means you know who the user is.
Right?