Yeah, I've seen this exact pattern. Cursor is aggressive about filling in code and it's seductive when it works. But auth, payment processing, database migrations - anything with state or security implications needs a different approach.
The issue isn't really Cursor vs Copilot. It's that you need to treat generated code like junior code review. For critical path stuff, I actually just write the skeleton myself and use AI for boilerplate filling, not logic generation. Takes longer upfront but the diffs are actually reviewable.
For your JWT case specifically, that's a "read the whole thing carefully" moment regardless of tool. Generated or human written, expired token handling gets you burned eventually.