Echo JS 0.11.0

Like most auth0 articles, the content is specific to their service.  That said, using a public/private key jwt for your API services is good practice.  As is short-lived tokens with a refresh mechanism in place, and api checks to ensure tokens are actually short-lived.  Revocation is harder than ensuring short token lifespans in the first place and negates a lot of the value of JWT.