Interesting. I was thinking of 'embedding' JWT in the body. So one JWT/JWE is for Authentication. Instead of using it to connect to an API for data exchange the data to be exchanges is in it's own JWT. This JWT represent a defined digital transport / trade document as a small dataset. This allows the recipient to use the included data 'how he needs to' and not based on a predefined business logic that needs to be agreed to have an API integration. The use case here is a federated system where many parties collaborate in the operational logistics of the supply chain but do not have singular authority / platform they adhere to. Idea is that a party can participate on receiving an sharing data in this manner that provides evidence of sharing / receiving without a centralized system or the usage of blockchain to register immutable.

Any feedback on good practices of including JWT's in the body of a request?