At AuthZed, we believe there’s a time and place for every piece of technology; the tricky part is determining if your use case actually is the time and place. For many years, there’s been a strong argument by domain experts against using JWTs for web sessions. While this campaign has succeeded to help improve the security of the web frontend, there hasn’t been an equivalent campaign for the backend. We built SpiceDB, an open source project that implements one such alternative called centralized authorization. Centralized authorization accounts for the pitfalls with JWTs by having a central service that is contacted to perform permission checks, solving the New Enemy Problem and providing Fine-Grained Authorization. However, JWTs have a fundamental flaw: they can't be revoked when their claims or scopes expire for reasons other than the expiration stored in the JWT, making them vulnerable to the New Enemy Problem. Additionally, JWT scopes are vague and don't provide enough context for fine-grained authorization. JWTs require an oracle to predict necessary scopes, which is impossible to do ahead of time, leading to security issues. While there are scenarios where JWTs may be recommended, such as one-time grants where access cannot be revoked, centralized authorization systems like SpiceDB offer a more secure and scalable alternative.