Using the custom JWT factory works better when you need to customize or optimize the verification, but if you prefer to use it to augment the token content from DB, then it must be run in a blocking mode, see https://quarkus.io/guides/security-jwt#blocking-calls. But the recommended Quarkus security way for augmenting the identity is to use SecurityIdentityAugmentor, see https://quarkus.io/guides/security-customization#security-identity-customization