JWT's are definitely the way to go. I do recommend that developers work out how to implement them without a third-party service, though. Auth0 is great, but it's so expensive if you want to use it beyond a little hobby project. It's surprisingly easy to use the jsonwebtokens package to create your own implementations.