I can’t say that they make a convincing argument against JWT and their derivatives. Plus I’m not impressed by secrets management that suggests “safely store a shared secret key (maybe in environment variables”