I wish the author went deeper into the topic. For example JWTs have a pretty straightforward structure and if you use just a subset of the spec they look like a clean and simple solution. But did the author check Macaroons? Did they consider SSL Client Certificates?