JWTs aren't just bad because they embody poor cryptographic engineering, but they are also bad because stateless authentication in itself is poor security engineering for almost every application.

> What solution would you choose today for stateless auth tokens?

Issue token (=random 256 bit string), verify against cached database. If you believe this to be a significant performance issue, you are very likely wrong.

It's kinda funny how some people think that this would be a performance problem, but it's something that computers and programming languages are specifically designed to do really well.

KV lookups with no dependent data are pretty much infinitely scalable with modern systems.

It’s not the lookup that is the cost but the network call.

That's darn cheap in modern systems, and most are doing a plethora of network calls per request either way. .5% overhead won't matter for a long time.