A JWT is a public token, you can decode it on any system. You can only validate it if you have the secret key. I have been doing what you mentioned for years for my bot. I use the oauth token to validate the user is who they say they are, then create a JWT for the rest of my auth processes to keep them logged into the system, and they have to re-login every 60ish days. I’m now just converting to an auth flow system but very similar setup, i’m sending the code to the server to auth who they say they are, then supplying a JWT for app auth.