JWTs (JSON Web Tokens) are everywhere—frontends, backends, microservices—and for good reason: they're easy to pass around, self-contained, and standardized. But while JWTs can be a solid fit for authentication, using them for authorization is a decision that comes with serious pitfalls—especially in distributed systems.

In this talk, we’ll explore the technical and security limitations of JWT-based authorization and explain why they're fundamentally incompatible with the needs of modern applications. From the infamous "New Enemy Problem" described in Google’s Zanzibar paper to the vague semantics of scope claims and the difficulty of revoking tokens in-flight, we’ll unpack the real-world consequences of treating JWTs as your AuthZ layer.

Topics covered in this talk include:

• Why stateless tokens fall short for Authorization
• How centralized, relationship-based models enable fine-grained, revocable, and context-aware permissions
• Concrete migration strategies and patterns for adopting centralized authorization