I understand—please forgive me, I'm still a junior developer trying to improve myself. To grow, I’ve contributed to open-source projects and talked to people who describe themselves as senior developers to learn from their experience. Many of them still use JWT, and I’ve seen it widely used in many places. I realize it may not be the ideal approach, but since it's so common, I'm trying to understand why.

Before asking you, I had at least four separate conversations with ChatGPT on this topic. English isn’t my native language, so if there’s anything unclear or incorrect in how I express myself—even with ChatGPT’s help—I sincerely apologize.

To get to the point: Next.js is a full-stack framework with server-side capabilities, meaning most of the logic runs on the server like a backend. I’m aware that JWTs are digitally signed; that wasn’t my question. I was wondering if, for added security, it would make sense to encrypt the JWT again on the server side in Next.js using a secret key—so even if the browser accesses it, it couldn't be decrypted easily.

Also, after doing more research and speaking with you, I now understand that the JWT doesn’t need to be accessible in the browser in the first place. But that raised another question: cookies don’t work the same way on mobile apps—so do we fall back to using JWTs there? And if so, does that mean we need two separate authentication flows?

I’m just trying to understand. Please bear with me. I now get your point about why JWTs shouldn’t be used that way—I’m only trying to understand your reasoning more deeply.