Ref Is there a best practice for what info can be in access token - #2 by baskarrao.dandlamudi – where they say that you can use either if backend is your own and not some 3rd party service.
and for http request on every single call to my endpoint in order to verify an access token – I think how we do it it is we generate a JWT access_token and not the string one. We have rules that add additional info to access_token jwt that graphql can use.
In graphql or other api we verify the jwt is valid (there are libs) and once verified we decode it to get that info which can be used to make further calls / lookup.
Since jwt access_token will be sent in from browser as headers to graphql / api, we kept info in jwt such that if someone malicious get access to that JWT and decode it those ids would mean nothing to them. Also due to the expiry time they might be able to use that JWT access_token and call my graphql directly (that is assuming they know the graphql) only for a period of 10 mins or so.